1. Home
  2. Categories
  3. Side Bar WTF
  4. Security flaw* City of Johannesburg's invoicing system means anyone can see any resident's bills

Security flaw* City of Johannesburg's invoicing system means anyone can see any resident's bills

  • The_Assimilator

    As reported here.

    tl;dr Change account number in URL to view complete bill, including name and address, and most crucially, the amount by which the account is in arrears.

    0
  • scudsucker

    It's nice when you don't even have to hack a site to get private info.

    But, on the other hand, aside from Identity theft (and a rates bill is not THAT useful) there is no real useful info.


    Someone did suggest that using the identity to set up a bank account, then claiming refunds into that account is possible, but then again, they have obviously never tried to get a refund from the City of Johannesburg - these things take months or years.

    0
  • T

    As a firm, you can have quite a bit of information about potential customer with this. Not that any self-respecting corporation would try to know who pay their bill in due time and who desesperately need some money here and now.

    0
  • scudsucker

    True. We already have a massive cold-calling loan industry.

    0
  • eViLegion

    @scudsucker said:

    It's nice when you don't even have to hack a site to get private info.


    But, on the other hand, aside from Identity theft (and a rates bill is not THAT useful) there is no real useful info.

    Actually, there is a shed load of useful info, especially as the city council is likely to have other poor, low-security processes to deal with their customers.

    You could use this account info to convince someone at the council that you are one of these customers over the phone:



    "Oh hello.... I'm [Name], living at [Place].... you sent me an invoice on [Date] for the sum of [Money], but I don't think it's correct.... I'm sure I already paid..."

    ...etc...



    You can then use this situation to trick whoever is on the end of the line either into revealing more information, or performing actions on the account in question.

    0
  • scudsucker

    @eViLegion said:


    You could use this account info to convince someone at the council that you are one of these customers over the phone....
    You can then use this situation to trick whoever is on the end of the line either into revealing more information, or performing actions on the account in question.


    I don't live in JHB, but apparently it is next to impossible to get the 3rd world call centre to do anything at all - for even the most mundane tasks, residents have to go to the Municipal offices.

    0
  • The_Assimilator

    Default IIS and Tomcat start pages; no robots.txt in root, so Google has been indexing the site since March 2012.

    0
  • error
    Considered Harmful

    @The_Assimilator said:

    Filed under: *not so much a flaw as a complete lack thereof

    A complete lack of flaw? So it's flawless.

    0
  • dkf
    Discourse touched me in a no-no place

    @scudsucker said:

    I don't live in JHB, but apparently it is next to impossible to get the 3rd world call centre to do anything at all - for even the most mundane tasks, residents have to go to the Municipal offices.
    Security by immutability? That almost works, except for the way the details can be used elsewhere with somewhat less bureaucratic organizations that actually try to be a bit helpful…

    0
  • B

     South Africa has been in decline since ever the apartheid was changed by 180 degree.

     

    0
  • A

    ok....i got it but about the other side of the world ....if we require the universel rule of invoicing then we have to find the best option .....

     

    i search so many think but i prefer always...this 

     

     http://www.fetchflow.com/support/question/How-do-I-schedule-recurring-invoices.html


    0
  • R

    @beginner_ said:

     South Africa has been in decline since ever the apartheid was changed by 180 degree.

     




    Look at Zimbabwe and see how good things are since they kicked out the Evil White People.

    0
  • R

    @eViLegion said:

    @scudsucker said:
    It's nice when you don't even have to hack a site to get private info.


    But, on the other hand, aside from Identity theft (and a rates bill is not THAT useful) there is no real useful info.

    Actually, there is a shed load of useful info, especially as the city council is likely to have other poor, low-security processes to deal with their customers.

    You could use this account info to convince someone at the council that you are one of these customers over the phone:



    "Oh hello.... I'm [Name], living at [Place].... you sent me an invoice on [Date] for the sum of [Money], but I don't think it's correct.... I'm sure I already paid..."

    ...etc...



    You can then use this situation to trick whoever is on the end of the line either into revealing more information, or performing actions on the account in question.

    The only flaw in this mastermind plan is that odds of finding the account of someone who has money or anything valuable are pretty low. Same news in Monte-Carlo or Dubai would be something else.

    0
  • Ben L.

    @Ronald said:

    @beginner_ said:

     South Africa has been in decline since ever the apartheid was changed by 180 degree.

     

    that's wasis!!

    Misuse of a meme. That's a $100 dollar fine, right?

    0
  • R

    @Ben L. said:

    Misuse of a meme. That's a $100 dollar fine, right?

    Well worth it!



    0
Log in to reply