City of Johannesburg Leaks Personal Bills Online, Threatens Flaw Finder 46
An anonymous reader writes "A major security hole in the City of Johannesburg's online billing system has meant that customer invoices have been visible on the open web with a bit of simple parameter phishing. Change a digit in the URL for your bill, and someone else's appears. Including major corporations like the roads agency, SANRAL (which is R55 000 in arrears, apparently). Neighboring Ekhuruleni had a similar problem too. Both problems were discovered by regular visitors at a local IT forum, and it's interesting to compare the two cities reactions. Ekhuruleni quietly and quickly fixed the problem, while Joburg has threatened legal action against the user — who tried to raise the issue with the city IT team several times before going public. Legal experts say there's a potential case for a class action."
Feedback from the guy that found the flaw (Score:5, Informative)
"Hi all, I have yet to get contacted by CoJ or anyone else responsible/concerned about my initiative to help close the data-leak. As far as I am concerned I have not done anything illegal and have not been charged or accused of having conducted anything illegal. The CoJ certainly makes it out that the customer invoices were accessed in an sophisticated and malicious hack. I did elaborate this to the press and while all of you understand exactly what happened it is still astounding that CoJ attempts to bury the real story instead of taking accountability for what actually happened. Although this incident is presented as an attack, Google managed to index the tax-invoices dating back to February 2013 and all information circulating in the press (such as the mentioned SANRAL tax invoice) have been publicly available via a simple Google search, prior to my discovery on 20th August 2013. The CoJ claims of a hack are simply rubbish and any person with an internet connection would have been able to view the same information. There is ZERO IT-skill required to change an invoice number in a web-address. I am not going to worry about any criminal or civil charges and a team of lawyers is ready to deal with those should that situation arise. It is quite shocking to see how the media reported on this issue despite having had many witness accounts and solid evidence at hand. In my opinion it should have never gotten to the point that this situation is now all over the news, had the CoJ acted responsibly and shown accountability and prompt resolve. I think MyBroadband has managed to capture the actual events very accurately and I appreciate all the support, PM's and phone-calls I have received over the last few days. As a rate- and tax-payer it is our civic duty to ensure that our resources are managed in a responsible way and it is quite an embarrassment that our leaders (which we pay via our taxes) show zero interest in serving their residents - if they did, we would not sit with the number of threads and misinformation currently being pedalled to save face. The newspapers equally act irresponsibly by printing anything being said without having verified actual facts (which are readily available) and as such are not improving the situation. As a CoJ resident I am ashamed to life in a city where their representatives lie and misinform to cover up incompetence and shy away from their own accountability."