Southern Water customers could view others' personal data by tweaking URL parameters

Re: Move along please - nothing to see here

Not just GET/POST being unvalidated like this, but the client being the only source of validation.

I was able to sign up for a new account on [redacted] using an email with the .monster vanity TLD despite the fact that the client JavaScript forbade it; all it took was inspecting the onClick event of the submit button and running the bit of code that was after a few obfuscated if-return statements.

And what do you know, their mailer can send to the address just fine, even though it was supposedly not valid.

I reported this issue a month ago in their fancy ZenDesk service desk and have not heard a single thing back. Maybe ZenDesk doesn't support that TLD either so my emails and clearly visible ticket have just vanished into the ether.

Re: Move along please - nothing to see here

"Software development is the only engineering discipline in which totally self taught and entirely unvalidated practitioners can be let loose to implement mission critical systems"

Sounds like my career in a nutshell. I started to list the various critical systems that I've worked on, but I got scared. Suffice to say no planes have crashed as a result of the code that I have written. (I'm reasonably sure that that is true, but posting anon, just in case).

Re: Move along please - nothing to see here

"It's about time we implemented at least some basic mandatory standard competence checks for web developers."

Why? We don't even require any competence checks for Prime Ministers or spads so this would be seen as vicious discrimination in today's world.

Really though, this is news? I've been seeing this ever since the internet got past 110 baud.

And if the company must activate its lawyers, they should be pointed at the person who wrote that crap in the first place, not the one who discovered the flaw.

Better to pick on the project managers and designers rather than the coders. Its the project managers and designers job to , firstly, design a robust and secure system and, secondly, to make sure its adequately tested, bugfree and secure before it goes live.

If the project manager's bosses prevented adequate testing because deadlines or some similar external reason, then they deserve the blame if testing was incomplete and/or the application was insecure when it went live.

BOFH

I am working as the sole system administrator for an organization—about 65+ servers—and have no formal education. The dude previously in my position (that was fired for being a massive egotistic sociopathic douchenozzle to everyone over the 12ish years he worked there) had a Bachelors in Computer Science and a bunch of certifications. He somehow managed to fuck up every single thing he touched, and I am still working every day to correct course.

Fun stories, no ul because I changed my handle 6 months ago:

- He once said "Guess I've gotta pop the top and see what RAM we have" when asked to increase the memory of a virtual server;

- He never did anything unless there was a chance of making himself look like a competent worker to the higher-ups or look like a God to the peons below and around him;

- When migrating files from one fileserver to another, he somehow busted up the target so bad that it had to be restored from tape;

- Instead of automating various things that I automated week one of my employment, he instead used them as an excuse as to why he could not get other work done;

- He frequently slept in his office—it was audible and loud;

- He laughed at the third-party movers that were utilized to carry a big leather couch up 3 flights of stairs, just to have them move it into his office;

- During his short stint as a manager, he only ever let us sit on his fancy couch when we were in trouble for something.

- He has assaulted employees in the past, and used foul language toward them in multi-CC mailing lists.

Sounds like a great guy to work with huh? Did I mention he was technically overqualified for his position? And that there is much, much more?

Re: Legal action?

Perhaps it would have been better to report the issue (anonymously?) to the ICO instead. Then Southern Water would be the ones worrying about legal action -- and rightly so.

I would still go ahead and report them for GDPR violation though. It's the only way these idiots will ever learn.

And even more obviously:

Dear Southern Water (or something beginning with "wa" anyway)

"We take the protection of customer data very seriously" - um, no you don't.

"we rigorously test our systems" - your interpretation of "rgiorously" and mine are obviously poles apart.

"have strong measures in place to safeguard customer information" - I think this situation proves that is a complete lie.

I think maybe it was referring more to Southern Sewerage's penchant for releasing faecal coliform into the English Channel.

Re: Legality?

Client and server side request forgery (CSRF and SSRF) aren’t really forgery per se. It’s more a case of social engineering the browser/server. “Hey, hand this card to the cashier over there will you?”. Cashier recognised the person handing over the card and acts on the instructions therein.

Vulnerability taxonomy can be pretty hazy, and I personally would describe this as an unsecure direct object reference (IDOR). However I think we can all agree it was an appalling weakness that should never have made it past the design phase never mind to production.

Using turds like S***point, SAP etc as some kind of framework is getting more common. The problem is it appears ppl pick their crap, overpriced middleware based on what they’ve used before rather than what is appropriate. Then you get stuff like this - “we need it to do X to keep the data secure”. “Sorry, it doesn’t support X”

Re: Legality?

IANAL, but I expect there is a legal distinction between certain types of "server side forgeries" - namely changing part of the url to a different but legitimate url (for example in this case, it sounds like they changed the url to one that would have been available to other customers - adjusting key parts of the string of characters that then bring up a different record).

In the Cuthbert case, he used directory path traversal, which from a brief look into what that involves, the url requests are not standard (including "../" etc.) to attempt to manipulate a poorly secured site into providing unauthorised access.

In the first case, it is essentially a more complicated method of having "customer1, customer2, etc." in your url - the obscurity of a string of characters is not sufficient protection and if someone changed a "1" to a "2" in the url, it would not be in the public interest to consider that illegal.

In the second case, this is like someone going around checking if your windows can be opened from outside - whether they succeed or not, the attempt can still be argued as an attempted burglary, and claiming to be security testing someone else's property without consent is a shaky ground. His argument in court was intent, and not helped by the initial attempt to cover up his involvement. If an off-duty police officer went round my house trying to open my windows, I think I would be suspicious of a claim that they were just testing my security.

Unfortunately the water company monopolies are more about shareholder return than providing value for money or a good, efficient service.

For example, there are documented and recorded discussions about the value in investing money in fixing water leaks compared to the money lost through the lost water. At no point was the impact on the end user's water not the environment nor anything longer term considered.

The same goes for software development and testing comparing the investment in software development and testing to the financial risk and liabilities with a failure. One would hope that the specter of GDPR fines would up the financial risk but for many organisations this isn't considered.

Re: "A quick lesson in how not to deploy Sharepoint."

I would assume that this is an O365 implementation as well.

Yet again the obsession with putting everything into a public cloud with SAAS because is is:

Faster,

Agile

Better

More secure

Cheaper

Blah blah,

As with everything O365, you are just running it in that amorphous being known as "the cloud". It never seems to occur to many people who should know better (or listen to those who do know better) that in order connect to the service it is on the public Internet. You can do all sorts of things to protect and hide that but it is still on a public cloud, that is what the term "public means".

Re: Sharepoint ??

It makes me sad too