I just finished my DevConf 2017 talk entitled All your data are belong to us: Reverse-engineering API’s, web scraping, and the details of how I gained access to 7 million Ster-Kinekor accounts.
This blog post is a rough summary of the Ster-Kinekor part of that.
MyBroadband has done a piece on this: Massive flaw in old Ster-Kinekor website leaked clients’ private data
It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge – which is sort of what makes this scary.
If you don’t want to read the details, here is a summary:
Ster-Kinekor had a vulnerability in their site/api that allowed anyone to get the profile details of every single user in their system. Those details included names, addresses, phone numbers, and plain text passwords (amongst a lot of other fields that you can see below).
To be clear, this wasn’t a hard thing to find at all, and from Ster-Kinekors side, it was just pure negligence. Not only did the API hand off details to anyone, they were also storing password in their database in plaintext (and returning those to the client!).