The website of Durban’s eThekwini municipality exposed the private details of 98,330 accounts.
Software developer Matt Cavanagh first posted about the security flaws on Twitter yesterday.
According to Cavanagh, it seemed as though the municipality’s website was storing user passwords in plain text and e-mailing it to them, which in itself was a major security concern.
Upon further investigation, it was discovered that it was possible for anyone to view the account information of any registered eThekwini resident.
The owner of DevEnterprise Software, Werner van Deventer, told MyBroadband that the details of 98,330 residents were exposed online and could be viewed by anyone if they had the link.
Data exposed included passwords, full names, addresses, and ID numbers.
Though none of the security researchers could confirm it, it may even have been possible to alter people’s account details.
Screenshots illustrating the security flaw are included below.
No Action Until Public Shaming
Cavanagh, van Deventer, and other security researchers contacted the municipality to warn it of the issue, but received no feedback.
Only after software engineer Taylor Gibb posted about it on his blog and it was spread on Twitter did the municipality react.
The website has since been taken offline, and the municipality has apologised for the leak.
Van Deventer said he was trying to figure out a way to disclose the vulnerability with SensePost CTO Dominic White without giving people with malicious intent a chance to extract the data.
“Not many people realised the underlying request also contains the password,” Van Deventer said.
“I also highlighted to them that you can generate bills for anyone without being logged in, until a few minutes ago that was still live.”