back to article Southern Water customers could view others' personal data by tweaking URL parameters

Southern Water - British supplier of the liquid of life - botched its internal Sharepoint implementation so badly that a customer was able to view other people’s account details. Reg reader Chris H discovered that the way Southern Water had set up Sharepoint to host customer information as a “your account” style section of …

  1. Mike 137 Silver badge

    Move along please - nothing to see here

    Yet again! GET parameters passed directly to the database without authentication or session verification.

    It's about time we implemented at least some basic mandatory standard competence checks for web developers.

    Software development is the only engineering discipline in which totally self taught and entirely unvalidated practitioners can be let loose to implement mission critical systems. In fact software development is typically not a "discipline" at all - it's generally performed in an entirely undisciplined manner. Unless that changes we're doomed.

    1. sev.monster

      Re: Move along please - nothing to see here

      Not just GET/POST being unvalidated like this, but the client being the only source of validation.

      I was able to sign up for a new account on [redacted] using an email with the .monster vanity TLD despite the fact that the client JavaScript forbade it; all it took was inspecting the onClick event of the submit button and running the bit of code that was after a few obfuscated if-return statements.

      And what do you know, their mailer can send to the address just fine, even though it was supposedly not valid.

      I reported this issue a month ago in their fancy ZenDesk service desk and have not heard a single thing back. Maybe ZenDesk doesn't support that TLD either so my emails and clearly visible ticket have just vanished into the ether.

      1. Phil O'Sophical Silver badge

        Re: Move along please - nothing to see here

        This presumably explains why I've recently been getting lots of spam from .monster addresses. So much so that all such emails now go directly to a black hole, unread.

        1. sev.monster
          Mushroom

          Re: Move along please - nothing to see here

          Hey, what if I want to sell you penis enlargement pills? I swear they work.

          This will be you after 5 minutes ---->

    2. Anonymous Coward
      Anonymous Coward

      Re: Move along please - nothing to see here

      "Software development is the only engineering discipline in which totally self taught and entirely unvalidated practitioners can be let loose to implement mission critical systems"

      Sounds like my career in a nutshell. I started to list the various critical systems that I've worked on, but I got scared. Suffice to say no planes have crashed as a result of the code that I have written. (I'm reasonably sure that that is true, but posting anon, just in case).

    3. Version 1.0 Silver badge

      Re: Move along please - nothing to see here

      "It's about time we implemented at least some basic mandatory standard competence checks for web developers."

      Why? We don't even require any competence checks for Prime Ministers or spads so this would be seen as vicious discrimination in today's world.

      Really though, this is news? I've been seeing this ever since the internet got past 110 baud.

      1. Swiss Anton

        Re: Move along please - nothing to see here

        The PM is accountable to parliament and the electorate. Software developers aren't really accountable to anyone.

        1. Version 1.0 Silver badge

          Re: Move along please - nothing to see here

          No - software developers for corporation are responsible for the work they do and the corporation is responsible for any errors that they make. Upper management employs middle management to take responsibility to the errors they make, even if the upper management created them - kinda like parliament really.

          The issue (as have have said many times here) is that these days everyone tests to demonstrate that it works and then they stop. Testing to show that it doesn't work generates problems for the tester.

  2. heyrick Silver badge

    "the only engineering discipline in which totally self taught and entirely unvalidated practitioners can be let loose to implement mission critical systems"

    The problem is not that we're self taught (I am, and I expect quite a few readers have a large skill set that had nothing to do with formal education and a lot to do with curiosity and breaking stuff). Indeed, just the other day I was reading through some source I'd written while on break. It was a sorting routine, written just for the hell of it, in assembler. A friend, who is doing something to do with coding as part of his engineering studies was completely flummoxed. Java was about as low level as he understood, and he preferred Rust. So...education? In what?

    Anyway, the problem is, rather, the ability of people who don't really know the full implications of what they're doing being put in a place where their mistakes are public. When writing anything that sits on the internet, assume it will be attacked. Anything else is negligence. And if the company must activate its lawyers, they should be pointed at the person who wrote that crap in the first place, not the one who discovered the flaw.

    1. Martin Gregorie Silver badge

      And if the company must activate its lawyers, they should be pointed at the person who wrote that crap in the first place, not the one who discovered the flaw.

      Better to pick on the project managers and designers rather than the coders. Its the project managers and designers job to , firstly, design a robust and secure system and, secondly, to make sure its adequately tested, bugfree and secure before it goes live.

      If the project manager's bosses prevented adequate testing because deadlines or some similar external reason, then they deserve the blame if testing was incomplete and/or the application was insecure when it went live.

      1. MatthewSt Bronze badge

        It's also the developers jobs to point out what's missing, otherwise you're telling me it's the perfect kind of job for outsourcing if you'll blindly implement the spec to the letter

      2. Anonymous Coward
        Anonymous Coward

        Its the project managers and designers job to , firstly, design a robust and secure system and, secondly, to make sure its adequately tested, bugfree and secure before it goes live.

        I have personal knowledge of a system where they claimed to have done all of that, and the managers believed them and signed off. The item in question is complete cack, but fortunately no longer sold.

    2. sev.monster

      BOFH

      I am working as the sole system administrator for an organization—about 65+ servers—and have no formal education. The dude previously in my position (that was fired for being a massive egotistic sociopathic douchenozzle to everyone over the 12ish years he worked there) had a Bachelors in Computer Science and a bunch of certifications. He somehow managed to fuck up every single thing he touched, and I am still working every day to correct course.

      Fun stories, no ul because I changed my handle 6 months ago:

      - He once said "Guess I've gotta pop the top and see what RAM we have" when asked to increase the memory of a virtual server;

      - He never did anything unless there was a chance of making himself look like a competent worker to the higher-ups or look like a God to the peons below and around him;

      - When migrating files from one fileserver to another, he somehow busted up the target so bad that it had to be restored from tape;

      - Instead of automating various things that I automated week one of my employment, he instead used them as an excuse as to why he could not get other work done;

      - He frequently slept in his office—it was audible and loud;

      - He laughed at the third-party movers that were utilized to carry a big leather couch up 3 flights of stairs, just to have them move it into his office;

      - During his short stint as a manager, he only ever let us sit on his fancy couch when we were in trouble for something.

      - He has assaulted employees in the past, and used foul language toward them in multi-CC mailing lists.

      Sounds like a great guy to work with huh? Did I mention he was technically overqualified for his position? And that there is much, much more?

    3. keithpeter
      Windows

      Testing

      End user suggests: not pointing lawyers at anyone. Just running a battery of tests against new Web applications before they are made available to punters. Test battery to be updated with new exploits &c when found.

      Test team's job is to find holes - could be fun? Gamify the whole process? Splat guns optional.

      Spokesbeing quoted in OA was suggesting that things were tested. Perhaps require formal disclosure of testing process when exploits of this nature found?

  3. tiggity Silver badge

    Legal action?

    ***** for even considering such a thing against a customer for doing that.

    Given they were spaffing peoples personal data around (hello GDPR) if someone hand edited a URL

    Frankly, whenever a URL has the look of having an ID in there somewhere, its essentially your duty to try "magic ID" variants of the URL just to make sure there are no data leaks - as if you can access someone elses data via URL tweaking then someone can access yours.

    1. David Taylor 1

      Re: Legal action?

      Perhaps it would have been better to report the issue (anonymously?) to the ICO instead. Then Southern Water would be the ones worrying about legal action -- and rightly so.

      1. Anonymous Coward
        Anonymous Coward

        Re: Legal action?

        Ha ha ha. Having reported several egregious breaches to the ICO over the years (including about an employer, so I could give them chapter and verse on how the breach was entirely deliberate), I’d suggest you save yourself the trouble. IME they will only *consider* getting involved if you’ve first complained to the organisation concerned, given them a chance to sort things out, etc. They have - again, IME - no interest in proactive enforcement and won’t even bother replying to anonymous approaches.

        Anonymous for what are probably obvious reasons.

  4. Lee D Silver badge

    Threaten legal action?

    Not a problem, mate.

    "Hello, is that the Information Commissioner's Office? Yes, I'm being threatened with legal action for reporting a severe data leak that I'm hoping hasn't gone unreported to you guys despite the company in question being aware of it since date X.... I believe it to be a major GDPR violation affecting the personal information of tens of thousands of people on the Internet and is still currently unresolved."

    Oh, you want to DROP your legal action against me now, do you? Funny that.

    1. Stumpy Silver badge

      I would still go ahead and report them for GDPR violation though. It's the only way these idiots will ever learn.

      1. Lee D Silver badge

        Yep, but you do that AFTER they aren't responsive/helpful.

      2. Anonymous Coward
        Anonymous Coward

        Yes they might get a 10,000 pound fine that after having its deadline extended for two years (by mutual agreement with the ICO) is then quietly dropped

  5. nematoad Silver badge
    FAIL

    We believe you.

    We take the protection of customer data very seriously, we rigorously test our systems and have strong measures in place to safeguard customer information.”

    Obviously.

    But being a natural monopoly they don't have to try very hard as we, the customers, have nowhere else to turn.

    And no, for the sceptics amongst you, I don't really think that they give a tinker's damn.

    1. DJV Silver badge

      And even more obviously:

      Dear Southern Water (or something beginning with "wa" anyway)

      "We take the protection of customer data very seriously" - um, no you don't.

      "we rigorously test our systems" - your interpretation of "rgiorously" and mine are obviously poles apart.

      "have strong measures in place to safeguard customer information" - I think this situation proves that is a complete lie.

      1. Sam not the Viking

        Re: And even more obviously:

        They make these fatuous statements with such sincerity.

        They should be legally obliged to justify their conviction publicly as anything else represents misleading the stock-market.

      2. sev.monster
        Paris Hilton

        Re: (or something beginning with "wa" anyway)

        Wah?

    2. This post has been deleted by its author

  6. Stumpy Silver badge
    Pint

    Southern Water - British supplier of the liquid of life

    When did they start supplying Whisky then?

    --> Icon because it's as close as we've got.

    1. Anonymous Coward
      Anonymous Coward

      I think maybe it was referring more to Southern Sewerage's penchant for releasing faecal coliform into the English Channel.

  7. Dom 3

    Legality?

    ''While the word "forgery" makes requesting a resource hosted on a public server sound like breaking into Fort Knox, doing so is not illegal in the UK or most other Western democracies.''

    I thought that the Cuthbert case:

    https://www.scl.org/articles/821-computer-misuse-prosecutions

    had shown that manipulating URLs *can* constitute unauthorised access and therefore *is* illegal despite the best of intentions.

    Or has the Act been updated to better reflect reality?

    1. Pier Reviewer

      Re: Legality?

      Client and server side request forgery (CSRF and SSRF) aren’t really forgery per se. It’s more a case of social engineering the browser/server. “Hey, hand this card to the cashier over there will you?”. Cashier recognised the person handing over the card and acts on the instructions therein.

      Vulnerability taxonomy can be pretty hazy, and I personally would describe this as an unsecure direct object reference (IDOR). However I think we can all agree it was an appalling weakness that should never have made it past the design phase never mind to production.

      Using turds like S***point, SAP etc as some kind of framework is getting more common. The problem is it appears ppl pick their crap, overpriced middleware based on what they’ve used before rather than what is appropriate. Then you get stuff like this - “we need it to do X to keep the data secure”. “Sorry, it doesn’t support X”

    2. fireflies

      Re: Legality?

      IANAL, but I expect there is a legal distinction between certain types of "server side forgeries" - namely changing part of the url to a different but legitimate url (for example in this case, it sounds like they changed the url to one that would have been available to other customers - adjusting key parts of the string of characters that then bring up a different record).

      In the Cuthbert case, he used directory path traversal, which from a brief look into what that involves, the url requests are not standard (including "../" etc.) to attempt to manipulate a poorly secured site into providing unauthorised access.

      In the first case, it is essentially a more complicated method of having "customer1, customer2, etc." in your url - the obscurity of a string of characters is not sufficient protection and if someone changed a "1" to a "2" in the url, it would not be in the public interest to consider that illegal.

      In the second case, this is like someone going around checking if your windows can be opened from outside - whether they succeed or not, the attempt can still be argued as an attempted burglary, and claiming to be security testing someone else's property without consent is a shaky ground. His argument in court was intent, and not helped by the initial attempt to cover up his involvement. If an off-duty police officer went round my house trying to open my windows, I think I would be suspicious of a claim that they were just testing my security.

  8. Doctor Syntax Silver badge

    "The practice of threatening people who make responsible disclosures of security cockups has long passed out of the IT industry in favour of bug bounty schemes and proper pentesting; perhaps other industries are still playing catchup."

    Well it has in those parts of it that actually take protections of customer data seriously as opposed to just stringing together some words they'd heard.

    1. Nick Ryan Silver badge

      Unfortunately the water company monopolies are more about shareholder return than providing value for money or a good, efficient service.

      For example, there are documented and recorded discussions about the value in investing money in fixing water leaks compared to the money lost through the lost water. At no point was the impact on the end user's water not the environment nor anything longer term considered.

      The same goes for software development and testing comparing the investment in software development and testing to the financial risk and liabilities with a failure. One would hope that the specter of GDPR fines would up the financial risk but for many organisations this isn't considered.

  9. james_smith Silver badge

    I'm amazed. This is the first time I've ever heard someone manage to get data out of SharePoint. In my experience data just disappears never to be found when it's put into that godawful software.

  10. Maximum Delfango
    Boffin

    "A quick lesson in how not to deploy Sharepoint."

    Lesson 1: never deploy Sharepoint...

    Lesson 2: ...ever.

    1. hoola Bronze badge

      Re: "A quick lesson in how not to deploy Sharepoint."

      I would assume that this is an O365 implementation as well.

      Yet again the obsession with putting everything into a public cloud with SAAS because is is:

      Faster,

      Agile

      Better

      More secure

      Cheaper

      Blah blah,

      As with everything O365, you are just running it in that amorphous being known as "the cloud". It never seems to occur to many people who should know better (or listen to those who do know better) that in order connect to the service it is on the public Internet. You can do all sorts of things to protect and hide that but it is still on a public cloud, that is what the term "public means".

  11. Anonymous Coward
    Anonymous Coward

    Sharepoint ??

    Who signed off on exposing customer data via a 3rd party platform where the security settings can change without consolation?

    1. mikepren

      Re: Sharepoint ??

      It makes me sad too

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020