Ster-Kinekor’s old website allowed anyone with know-how to retrieve the profile details of every user on the site. This information included phone numbers, addresses and plaintext passwords.
Software developer Matt Cavanagh revealed the bug in a blog post on Thursday, after disclosing it to Ster Kinekor last year.
“They took the high-road of admitting they were at fault, and didn’t try pass the blame off. I appreciate that,” Cavanagh told Memeburn of their response to his report.
According to the developer, the bug in the backend API was found via the website’s Flash bits. He admits he didn’t have substantial knowledge of Flash, but he says the bug was so rudimentary it didn’t matter.
“It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge — which is sort of what makes this scary,” he wrote on his blog. “I had no idea how Flash worked — I still don’t — or if it is possible to pull it apart. So I Googled ‘Flash decompiler’.”
Google was all the help Cavanagh needed to take advantage of the vulnerability, and eventually he managed to pull data from all 6.7 million users on the site.
Developer Matt Cavanagh managed to retrieve user details of almost seven million users from the old Ster-Kinekor website
What surprised him even further was that after retrieving every single users’ personal information, Ster-Kinekor was unaware anything had even happened.
“As far as I can tell, they had no monitoring of their service. After doing all the above, I got through to the person who I was told was in charge of the platform, and they sounded surprised that I had done this,” he wrote. “If their service was getting hit with downtime, they should probably have some automated warnings.”
Considering the site likely gets tens of thousands of queries a day, Cavanagh writes that admins should have been notified when there were 6.7 million instead.
Ster-Kinekor has since eliminated the bug by rolling out a new system with Vista a few months ago. Cavanagh insists that anything is better than what they had before.
“I would assume that it is safer, simply because there aren’t many ways to make something worse than their old service,” he told Memeburn.
What should users do about the breach?
Ster-Kinekor insists there have been no leaks since Cavanagh’s report.
“Since being made aware of this state of affairs by Mr. Cavanagh, no further breaches have been detected,” it told MyBroadband.
But this doesn’t mean that no one else has discovered the bug.
“They are not sure if someone got it before me, either,” Cavanagh told us. “As explained in my blog post, it wasn’t something that was hard to find, so it is better to assume that someone else does have it.”
If your Ster-Kinekor password has been used on other sites, the developer urges that you change them immediately.
“If someone has this data, they could try get into other services that users use, which will be possible if they’ve used the same password in multiple places,” he says. “The only thing a user can do is make sure they have not shared their old SK password with any other site/service. If they have, they need to go change it immediately.”