Some details on the eThekwini Municipality vulnerability

Tweet about this on TwitterShare on FacebookShare on RedditShare on Google+Email this to someonePin on Pinterest

Here are some extra details on what happened yesterday.

Here is the MyBroadband article for context.

Timeline

At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.

Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.

20 minutes later I tweeted the image.

Immediately after tweeting I logged in, saw the obvious issue with viewing other peoples data, and emailed them to let them know that there was a problem – I did not tweet about this.
Werner Van Deventer emailed them at the same time (note that the 5:50pm tweet that @matthewsavides refers to is the one at 4:50PM linked above).

Werner emailed someone directly at eThekwini, along with CC’ing their public address, with lots of detail.

From: Werner van Deventer
Sent: 07 September 2016 04:55 PM
To: [NAME REMOVED]
Cc: Revline
Subject: eServices security disaster
 
Hi [NAME REMOVED],
 
I got your email address from a customer survey email sent a while back. This new site has serious security problems that were not difficult to identify.
 
Today I got an email with my account password in plain text, this clearly means you are not hashing or securing passwords in your database. I am unable to change my password to something more secure so this is left exposed.
 
The site does not use SSL, so all logins and activity is exposed over the network in plain text for anyone to intercept.
 
You have an account enumeration exploit on your forgot password page, so it’s easy to find out registered email addresses.
 
You can request anyone’s bill with an account number and date, without being logged in!
Not my bill for example: http://eservices.durban.gov.za/v2/Report/GenerateBill?accountNumber=xxxxxxxx&billDate=2016-06-11
 
Getting account numbers and other personal information (ID numbers, phone numbers, email addresses) is not difficult either since you can view and edit anyone’s details by changing the customer ID in the URL. This is extremely serious as you are exposing sensitive information about customers including their account number to access their municipal bills.
 
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177531&agentId=0 – [NAME REMOVED]
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177532&agentId=0 – [NAME REMOVED]
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177533&agentId=0 – [NAME REMOVED]
 
It appears as though you are also able to edit this information quite easily which could completely corrupt your database and prevent people from getting their bills. Anyone can register for an eServices account and perform these exploits.
 
I strongly suggest switching off this site and fixing the problems as you are exposing people’s personal information including my own.
 
Regards,
Werner

 

He received a response at 8:01 AM the following day.

From: [NAME REMOVED]
Date: Thu, Sep 8, 2016 at 8:01 AM
Subject: RE: eServices security disaster
To: Werner
Good Day Werner
 
I have forwarded your email to the relevant team, to look at the issues you mentioned below.
 
Regards
[NAME REMOVED]

 

(Back to the 7th)
Right after emailing them, I contacted Jan Vermeulen from MyBroadband about it. We agreed that I’d give them some time to reply, and then if they didn’t respond to me he would get the MyBB media team to contact them and give them 48 hours before publishing anything publically.

At around 11PM 7 September, Werner DM’d them on twitter urging them to take the site down. He then DM’d them again at about 11AM 8 September, 3 hours after the reply from [NAME REMOVED] above.

Werner also attempted a call to their call center on the morning of the 8th but was not able to get through – presumably they were handling lots of calls about the new system in general.

At around 12PM the next day (8 September), Taylor Gibb posted a blog post about it

At 1:14PM eThekwini replied on Twitter

An hour later, around 2 PM they took the site down, and it is still down as of right now.

Around the same time MyBroadband published their article (obviously the 48 hour responsible disclosure no longer applied at this stage).

Details

The URL to a particular profile is:
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=123456
[When the site was up] a person needed to be logged into the site to access the page. However, once logged in you could change that customerId to anything and view their profile.
I wish it was the first time I had seen something this bad in production.

While viewing someone else’s account it looked like you could access as much as you could on your own profile. This included residential addresses, ID number, cell and phone numbers, email address, and yes, password.

You could also access bills for any user, even without being logged in. Not only that, but Werner was able to access bills for hours after the site was “taken offline”.

Werner confirmed that you could edit someone else’s details, since the ID of the user was stored in a hidden field and POST’ed to the server, instead of using the ID of the actual logged in user.

This is a screenshot of me viewing someone else’s account.

The ID’s were incremental, and went up to just over 300,000. @brutaldev confirmed that of those, around 98,000 were tied to real customers.

As of right now it is safe to assume that that entire dataset has been scraped by at least one [but probably multiple] person with ill-intent.

Also, as of right now, eThekwini has not notified anyone that their personal detail have been compromised.
Taylor and Cath received an email from eThekwini about a possible breach, but neither Werner, my colleague, or myself have received it.
This is a pretty big problem, and it totally irresponsible. Besides personal details, many people use their same password in multiple places (shame on you!).

This is the email they sent out

From: eThekwini Municipality Press Release <no-reply@durban.gov.za>
Date: Thu, Sep 8, 2016 at 8:34 PM
Subject: PUBLIC NOTICE TO ALL ETHEKWINI MUNICIPALITY ESERVICES USERS
To: [NAME REMOVED]
ETHEKWINI NEWS FLASH
FOR IMMEDIATE RELEASE
08 September 2016
PUBLIC NOTICE TO ALL ETHEKWINI MUNICIPALITY ESERVICES USERS
EThekwini Municipality is investigating claims that information is being shared relating to customers’ accounts and as a precautionary measure, the Municipality has taken the site offline in order to prevent any unauthorised access to our client data.
It is envisaged that the site will be back online on Monday, 12 September 2016 and in the meantime eServices users can contact the Revenue call centre on 031 324 5000.
Should customers prefer to email or fax their query they may do so on the following contact details:
Email address – Revline@durban.gov.za / Fax 031 324 5111.
All eServices users are asked not to panic because the City has acted proactively to protect their private information.
ENDS
Issued by eThekwini Municipality’s Head of Communications, Tozi Mthethwa.
For more information members of the media can contact Princess Nkabane on 031 311 4818 or princess.nkabane@durban.gov.za or Gugu Mbonambi on 031 311 4855 or email gugu.mbonambi@durban.gov.za.

The password I had tied to my account was a crazy bad one that I can only assume I put in never intending to the use the account (which I didn’t – I only knew I had an account when I got the email).

Anyway, go make sure you didn’t use the same password twice!

 

Tweet about this on TwitterShare on FacebookShare on RedditShare on Google+Email this to someonePin on Pinterest