The City of Johannesburg (COJ) has opened a police case to determine how its online services system was apparently hacked.
This comes after it was revealed that the online services system that allows residents to view their account statements online, also allows residents' names, addresses, account numbers, PIN codes and financial details to be available to anyone with an Internet connection.
The flaw was revealed by chief technology officer at Bid or Buy, Gerd Naschenweng.
The city took down the system yesterday to fix the security flaw. A statement on the official Web site says the city "is undertaking legal proceedings against those who viewed and posted information unlawfully".
Director for applications at COJ Richard Nene explained yesterday that residents can register on the Web site to be able to view their account statements online. Residents access their statements by logging in with their account number and a PIN. He says the security flaw allows a person to log in using his personal details, and then by changing the account number while staying logged in, being able to view other residents' statements.However, this morning Nene refused to comment on the reasons for the legal proceedings now being undertaken. He merely confirmed that the system was still down.
Naschenweng says the claim by the COJ that the security flaw was revealed through a malicious or sophisticated attack is complete rubbish.
"How I stumbled across it, is I wanted an electronic copy of my account statement, and when I clicked on the link to view the statement, I noticed in the URL of the Web site there was an invoice number. And I thought let me change the invoice number and I can get my previous invoice, and all of a sudden another person's invoice popped up."
He said he then tested the same link in another browser where he was not logged in, and he could still view another resident's statement.
Naschenweng says he then phoned the COJ call centre and tried to explain to an agent what the problem was. "The agent just did not comprehend the nature and the urgency of the matter and when I asked to speak to a supervisor, I was cut off."
He says he then sent an e-mail to the city, including all his contact details, but to this date has not received a response.
Naschenweng says he has not been criminally charged with any offence, so cannot comment on who the COJ is taking legal action against. "I believe any criminal charges will have no merit or grounds, because the information is publicly available. Anyone out there would have had access to that information. Just because I was the person to come across it and tried to inform the COJ of the issue, they want to file criminal charges."
Wolfpack MD Craig Rosewarne says according to Nene's explanation to ITWeb, the problem is due to a security oversight and the Web site not being designed securely. "It seems they [COJ] are now trying to position this as someone hacking into their system, but this is not the case," says Rosewarne.
"They are probably referring to the Electronic Communications and Transactions Act… It would be in very poor taste if the City of Joburg is to sue this person [who revealed the flaw], because this is not hacking. This is just one of many examples of a Web site not being designed with security in mind."
Meanwhile, it seems the same vulnerability exists with the user account system of the Ekurhuleni Municipality. According to tech blogging site Htxt.Africa, once a user has logged into the Ekurhuleni user account system, other people's invoices can be accessed by entering a direct URL link to the files.
The blog notes that it is not the exact same security problem as with the COJ system, as one needs to have credentials to access the Ekurhuleni system. "Registering as a new user, however, takes a couple of minutes and can be done with fake credentials," says the blog.
A spokesperson for the municipality, Sam Modiba, yesterday said the municipality is unaware of any security flaws in its system. Modiba could not be reached again this morning for comment.
Our comments policy does not allow anonymous postings. Read the policy here