The eThekwini eServices Website Leaks Your Personal Data

The eThekwini Municipality recently updated the eServices website. The first problem I noticed is that they emailed all users their usernames and passwords, which meant they are storing our data in plain text.

This prompted me to investigate further. What I found was shocking, by changing a single portion of the URL, you are able to see full details for any other registered user on the system. You can see their:

  • Email
  • ID Number
  • Deceased Status
  • Gender
  • Account Number
  • Cellphone Number

The Government has an obligation to protect our data, and I have an obligation to inform you that your data is not safe. In the matter of minutes, someone could have all their information at their fingertips. The code to dump their entire database, which contains everyones personal information would be less than 10 lines of code.

I have tried to contact them via Twitter and a friend tried to phone them as well, with no response. To be clear this post is not meant to be malicious, but rather raise awareness to the fact that this is a huge security issue.

Server Taken Down

The sad part about this whole thing is that it took this blog post and a few tweets to get them to take the server offline.

Once @cathjenkin tweeted them (she must be special, because we didnt get any traction) the conversation started and we managed to convince them to turn off the server at 14:00 GMT +2.

Code

I was actually working in a PowerShell project when i discovered this, so i ended up writing the code in PowerShell. Since PowerShell has native support for sessions, it was possible to do this in just 7 lines of code. You would of course have to replace {token} and {email} with the values you get in your account creation confirmation email.

I should probably let you know that i am just provinding this to show you how easily you could have dumped everyones details. I have not run the script and have no intention of doing that. I am pretty sure, however, that someone out there found the same vulnerability and has this data already. I really hope this highlights the importance of application security.

Should you want to reach out to me, leave a comment or contact me on taylor [at] developerhut.co.za

Changelog

  • [9/9/2016] - adding information about the server is down and adding a code sample. This wasnt added during the intial article publication to prevent it getting into the wrong hands.

comments powered by Disqus