BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Rain fixes security flaw in website that could leak personal data

From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 4 Jun 2019 05:14:36 -0500
https://mybroadband.co.za/news/security/307744-rain-fixes-security-flaw-in-website-that-could-leak-personal-data.html

Rain has fixed a security flaw in its website that allowed
subscribers, who were logged into their online profiles, to view the
invoices of other clients.

A MyBroadband reader discovered the flaw after Rain emailed a notice
to subscribers who had not set a spend limit on their accounts. The
company was encouraging its customers to set a spend limit to avoid
bill shock.

While visiting their Rain dashboard, the subscriber noticed there was
an area to download their monthly invoices.

Upon clicking on it, they noticed that something was amiss, as the URL
of the page to download the invoice was in the form
“https://www.rain.co.za/view-invoice?number=76543210”.

The number in the URL matched the invoice number. By guessing another
valid invoice number, you could access someone else’s invoice.

Downloaded invoices contained the name and address of the subscriber,
along with the product they were being billed for that month.

Issue fixed

“We acknowledge the issue that allowed a logged-on customer to
speculatively view invoices of other customers,” Rain told
MyBroadband.

“This was due to a bug in the middleware software which has now been resolved.”

Rain said that it has an internal security team and performs regular
tests on its systems, in line with best practices.

“Rain takes the security of our clients’ data extremely seriously. The
moment we become aware of any breach and/or bug in this regard, we
immediately act to solve the problem,” the company said.

For security-related concerns, Rain said that members of the public
can send an email to security () rain co za.
_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange
Previous By Date Next
Previous By Thread Next

Current thread: