eThekwini Municipality Leaked Private Details Of Almost 100,000 Residents

The website of Durban’s eThekwini municipality exposed the private details of 98,330 accounts.

ethekwini municipalitymobile twittermobile googleplusmobile email

Software developer Matt Cavanagh first posted about the security flaws on Twitter yesterday.

According to Cavanagh, it seemed as though the municipality’s website was storing user passwords in plain text and e-mailing it to them, which in itself was a major security concern.

Upon further investigation, it was discovered that it was possible for anyone to view the account information of any registered eThekwini resident.

The owner of  DevEnterprise Software, Werner van Deventer, told MyBroadband that the details of 98,330 residents were exposed online and could be viewed by anyone if they had the link.

Data exposed included passwords, full names, addresses, and ID numbers.

Though none of the security researchers could confirm it, it may even have been possible to alter people’s account details.

Screenshots illustrating the security flaw are included below.

ethekwini-leak

ethekwini-leak-account-details

No Action Until Public Shaming

Cavanagh, van Deventer, and other security researchers contacted the municipality to warn it of the issue, but received no feedback.

Only after software engineer Taylor Gibb posted about it on his blog and it was spread on Twitter did the municipality react.

The website has since been taken offline, and the municipality has apologised for the leak.

Van Deventer said he was trying to figure out a way to disclose the vulnerability with SensePost CTO Dominic White without giving people with malicious intent a chance to extract the data.

“Not many people realised the underlying request also contains the password,” Van Deventer said.

“I also highlighted to them that you can generate bills for anyone without being logged in, until a few minutes ago that was still live.”

@cathjenkin Hey @eThekwiniM – once POPI is in effect you could be looking at some serious fines for unprotected personal information

@BruceCGordon @cathjenkin We are looking into this. Sorry about that.

          Tweet Received:

@eThekwiniM @BruceCGordon @cathjenkin TURN THE SERVER OFF!

Tweet Received:

@taybgibb @BruceCGordon @cathjenkin Thanks Taylor, we have sent your blog post and tweets to Head of IT for immediate action. Thanks Cath.

           Tweet Received:

We are adding the required security to the site, and in the interim will take it offline, until we update the security.

 My Broadband

Enjoyed this post? Share it!