Print 13 comment(s) - last by spaced_.. on Aug 31 at 1:48 AM

If you changed the number on your bill you'd get a different person's bill

It didn't take a rocket scientist to figure out this was a bad idea.  Johannesburg, the largest city in South Africa, had an e-statement website that offered helpful information such as your water and electric bills, plus information on the property.  However, there was just one issue -- once you were logged in the system you could change the property number, which means that you could access anyone's account.

I. Tech Executive Finds Huge Flaw, is Met With Silence

The flaw allowed you to snoop on others' water and electric bills, plus city property valuations and arrears (unpaid debt).

Gerd Naschenweng, chief technology officer of Bid or Buy -- one of South Africa's largest online auction/marketplace site -- discovered this astounding oversight one day when trying to help his friend find his account.  He recalls:

I was astounded to see I could access anyone’s account. I had a bit of fun going through the accounts and I am shocked to see what large amounts people owe the city.  This problem is poor implementation of their website, which disregards any best practices for web and data security. In the IT industry this is a rookie mistake.
The service provider that implemented this functionality will need to implement a solution so that only authenticated users can view their own data.  [Otherwise] people could even apply for credits and refunds owing to ratepayers.

City of Johannesburg
Johannesburg, South Africa [Image Source: Urban Africa]

The IT specialist first tried to contact the city to warn them of the issue.  He called a troubleshooting hotline (the City of Johannesburg (COJ) Call Center), but had his concerns quickly dismissed.  He recalls, "The agent just did not comprehend the nature and the urgency of the matter and when I asked to speak to a supervisor, I was cut off."

He then emailed the city with his name, a description of the problem, and his contact details.  He waited, but received no response.

Frustrated, Mr. Nascheweng chose to disclose the vulnerability to The Star (a local paper), by sending the property records of several large businesses.  The records showed potential corruption, revealing that many large businesses had a large amount of unpaid debt (arrears), but were not being shut down.  Among these businesses was SA National Roads Agency Ltd (Sanral), who owed R55,000 (~$5,380 USD).

II. Finally a Response

The publication provoked action. On late Tuesday afternoon, the page was taken down.  As customer frustration mounted Wednesday, the city first posted a short statement commenting that it was "experiencing technical difficulties", then offered a longer comment via city spokesperson Nthatisi Modingoane who announced:

We are aware of the security breach and our technical team has brought the services down to prevent further unauthorised access to consumer accounts.  The city (is) investigating the root cause and a permanent solution will be applied. We do apologise for any inconvenience caused

City of Johannesburg
[Image Source:]

The public relations officer of the nation's centrist Democratic Alliance (DA) party, Linus Muller, comments both on the flaw itself and the corruption allegations:

Any incident that exposes ratepayers’ information that could be used to commit fraud is a cause for concern.  Fraudsters had access to close on a million clients’ account details - this could be used, in conjunction with fake IDs, in any credit purchase transaction as proof of residence. It is regrettable that the so-called caring and world-class city chose to ignore a whistle-blower’s attempts to make them aware of the problem.

The city’s policy is to disconnect electricity to clients with arrears of R1 500 or more for 30 days or longer. To my knowledge, this has not happened. I am also not aware if Sanral is another ‘high- profile’ victim of the billing crisis, and need either to pay their dues, or set the record straight.

A statement on the city website claimed that while no user records were compromised the system had been "hacked" and stated menacingly:

The City would like to reassure its customers that no information can be manipulated on the City’s Billing System.  The City is undertaking legal proceedings against those who viewed and posted information unlawfully.

Many interpreted this to mean that the city was going after Mr. Nascheweng, the executive who disclosed the flaw.  However, he says that no one has contacted him yet and that if he's being charged no one has told him.  He explains, "I believe any criminal charges will have no merit or grounds, because the information is publicly available. Anyone out there would have had access to that information. Just because I was the person to come across it and tried to inform the COJ of the issue, they want to file criminal charges."

III.  City Threatens Unnamed "Hacker(s)" With Criminal Charges

A second statement, however, raises questions of whether it is the CTO who is being investigated.  The COJ writes:

At no stage has any of our residents’ personal information been compromised (banking details or ID numbers); this has been a priority for the City of Joburg to ensure safety and privacy of customer information.  The information that was accessed was not from the transactional engine of the billing system of the City of Joburg and the perpetrators were not able to transact on any of the information they have accessed. 

The City is busy with its own forensic investigation with its IT partner to assist the police with the criminal case that will be opened at as a result of this incident. Any such breach in future, aimed at stealing personal or municipal information, will also be regarded as a criminal matter. 

Note that the language ("perpetrators", "they have accessed") seems to be plural indicating multiple parties.  Unless that means the city is also planning to charge the newspaper, it may mean Mr. Nascheweng is off the hook.

COJ claims "hackers" compromised its site. [Image Source:]

The Managing Director of local security firm Wolfpack, Craig Rosewarne [PDF], says that charging the man who discovered the flaw -- or anyone else for that matter -- would be bad form.  He comments to local tech site IT Web Security:
It seems they [COJ] are now trying to position this as someone hacking into their system, but this is not the case.  They are probably referring to the Electronic Communications and Transactions Act… It would be in very poor taste if the City of Joburg is to sue this person [who revealed the flaw], because this is not hacking. This is just one of many examples of a Web site not being designed with security in mind.

So far the city has announced who it is or isn't charging with electronic crimes.

IV. Another City Has Near Identical Flaw

Meanwhile it has been reported by Htxt.Africa that neighboring Municipality of Ekurhuleni has a nearly identical bug in their online billing system, and to boot users can create accounts on that system with false credentials (it was a forums user -- JoseP -- who first discovered that bug).  

City Ekurhuleni
Another neighboring city was found to have the same fatal flaw. [Image Source:]

Htxt.Africa blasted the COJ's legal threats and labelling of the discover(s) a "hacker".  It contacted University of PretoriaSylvia Papadopoulos who said the people of COJ may be eligible for a class action lawsuit, remarking:

The possible ramifications of such a breach in data security are enormous,” Papadopoulos explains, “There are two or three possible avenues open for parties affected by the data breach.

The best option is that in South African law the right to privacy is protected in terms of both our common law and section 14 of the Constitution and it is recognized as an independent valuable personality right.  Therefore any action in this sphere of the law is a synthesized action based on both the common law and constitutional law principles.

The recognition of a right to privacy is also extended to commercial entities. In principle a party (class action for damages) would have to prove: That there was a disclosure of private information ie. a breach of privacy, that the breach was unlawful/wrong/unjustifiable and due to negligence on the part of the party you want to hold liable, that their actions/inaction caused damage and finally you have to prove the amount of damage suffered.

The only possible issue here is showing that actual damage occurred.

Perhaps that's why the city is taking such a defensive tone.

Sources: City of Johannesburg [1], [2], ITWeb, Htxt.Africa

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Shig on 8/25/2013 6:50:56 PM , Rating: 5
Another case of 70 year olds setting internet policy for 20 year olds. I wonder why they keep getting it wrong.

RE: Sigh
By Lord 666 on 8/25/2013 11:49:05 PM , Rating: 2
Appears to be more the case of sloppy outsourcing.

RE: Sigh
By Solandri on 8/26/2013 5:25:16 AM , Rating: 2
70 year olds outsourcing to 20 year olds whose only qualifications are that they're the kids of campaign contributors/personal friends of the 70 year olds.

RE: Sigh
By spaced_ on 8/31/2013 1:48:34 AM , Rating: 2
Gold comments.

I can just see the 70 year olds running around panick stricken after this happened. OH MY GOD THE SKY IS FALLING! WHAT'S HAPPENING?!?

Aahhh.. Jo'burg CBD
By petrosy on 8/25/2013 7:45:58 PM , Rating: 2
The pic sums it up perfectly ... Nice from far.... but definitely far from nice!

RE: Aahhh.. Jo'burg CBD
By Captain Orgazmo on 8/25/2013 8:31:08 PM , Rating: 2
Funny :)

However, wouldn't even say nice from far. That is some nasty depressing concrete architecture a la Soviet Russia or Western 1960/70's "modern" or "international" style.

Whats the big deal?
By fxnick on 8/27/2013 8:20:32 AM , Rating: 2
Umm..Taxes, Water Bills, land values.. etc is Public Information here in the US
At least in NH it can go onto your city/town website punch in anyone's address and see that kind of info.

RE: Whats the big deal?
By DrizztVD on 8/27/2013 4:15:24 PM , Rating: 2
Umm..Taxes, Water Bills, land values.. etc is Public Information here in the US

Can you see what the payment detail is on their account as well? The big problem is that you could use the info from someone else's account to conduct business like take out a cellphone contract, loan or whatever.

This is an interesting story, I wonder what it would have yielded if someone had investigated high-ranking politicians payment details. I wouldn't be surprised if serious discrepancies were found with some.

Though you really can't blame the municipality much. They have strong national policies that prevent white workers from being employed or promoted if they deem the white/black ratio isn't favourable. This has lead to serious skill shortages in the departments. They make up the shortfall by outsourcing a lot of work. But there really isn't anyone who has the skills to check the outsourced work for consistency in a lot of cases. It's quite irritating though, because if you wanted to move into those places to make a difference and you happen to be white, you will get shown the door.

Logged in? haha!
By Sunbird on 8/26/2013 3:04:17 AM , Rating: 3
"However, there was just one issue -- once you were logged in the system you could change the property number, which means that you could access anyone's account."

One didn't even have to be logged in, I'm not a resident of that city so don't have an account, I could access accounts just by going to a URL posted on the MyBroadband website and move between residents accounts by changing digits in the URL.

It was probably
By spamreader1 on 8/26/2013 9:43:31 AM , Rating: 2
Programmed by South African Princes looking to alternative ways to get thier missing money back. E-mail wasn't working so well.

Erkuleni lifestyle in pictures
By vicarious1 on 8/26/2013 7:31:16 PM , Rating: 2
Actually Erkuleni, having lived there, was the municipality with the best service, the best roads, way smoother than Sandton where "the rich like to snuggle up" in cramped expensive townhouses and villas and no street lights and plenty of pot holes.
Erkuleni was able to keep all in good condition till they added many other municipalities to care and pay for and my friends tell me it still not far from very good.
If you'd like to see what living in Erkuleni looks like from a positive side, visit our home in Erkuleni.
Not from where Charlize Theron is from Germiston just a few miles drive and our bills are paid in full :-)
And you haven't visited South Africa yet?
Go before it's all spoiled by the wrong politics. It's one of the best countries worldwide to have on one's bucket list!

By mikeyjohn on 8/29/2013 1:19:32 PM , Rating: 2
what Janet answered I didn't know that you able to earn $4204 in a few weeks on the internet. right here jazz77com

@ Captain Orgazmo
By vicarious1 on 8/26/2013 7:19:03 PM , Rating: 1
For this whole sad Internet Glitch. Well the NSA isn't better. I just wish I could read all the secrets of the ANC wrong doing instead of someone electricity bill. I guess someone with a preferred empowerment contract was running that show.
Maybe that is not the utmost pleasing photos but JHB has some very nice buildings sure better than Detroit!
For the rest where ever you are you wish you had a city as nice as Johannesburg. Offering one of the greenest lifestyle worldwide. JHB is the worlds largest man made forest. And not every South African is a criminal. Crime is always pumped up by the media and often by South Africans who have chosen to live abroad as they can't live with the people of South Africa.
As European who has lived in Johannesburg ten years till 07, I say many cities worldwide could only wish to have the excellent infrastructure of South African cities and road qualities. :-) Many countries can only dream of half the lifestyle South Africa can offer. I miss it every day. Here are +-10.000 photos of South Africa For example compare this.
Compared to Vancouver where in 2013 we can't book at specific movie seat online and where buying a ticket online cost $1 more than at the counter. In Johannesburg I can go to a movie hall see the latest international block buster with butler service and Club Sofa armchairs for one or two and get a full "Finger food buffet" all for $15.

"Vista runs on Atom ... It's just no one uses it". -- Intel CEO Paul Otellini

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki