Mogale City residents can view one another’s bills online

MyBroadband recently released a report stating a shocking reality about Mogale City’s electronic billing system.

According to the report, to date Mogale City residents have been able to view one another’s electronic bills.

The flaw they say lies with the hosted repository management system (RMS) that the municipality uses.

A spokesperson for Bidvest Data told MyBroadband that it owns and operates the ebillrms.co.za domain where the RMS is hosted.

Similar to the vulnerability on the City of Joburg (CoJ) e-Services portal, bills could be requested by entering a document number in a browser’s URL bar. These document numbers were sequential, making it very easy to guess them.

Unlike the CoJ vulnerability, bills are visible only to users logged into the RMS, and according to the information MyBroadband received, very little personal information is shown on the bills themselves.

However, it was demonstrated to MyBroadband that finding valid login credentials for the Mogale City RMS was fairly easy.

This stems from the municipality’s decision to use a resident’s account number as their default username and password.

The Mogale City website urges users to change their password after they have logged in for the first time, but users aren’t forced to do so by the RMS.

When contacted about the potential security problem, the Bidvest Group company behind E-bill RMS thanked MyBroadband and the vulnerability researcher for bringing it to their attention.

Although they could not provide specific feedback on the situation, it was apparent that Mogale City’s instance on the RMS platform had been placed in maintenance mode within minutes of the problem being reported. This prevented users from signing in until the issue could be addressed.

At the time of writing, Mogale City’s e-bill system was still in maintenance mode.