BreachExchange mailing list archives
Rain fixes security flaw in website that could leak personal data
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 4 Jun 2019 05:14:36 -0500
https://mybroadband.co.za/news/security/307744-rain-fixes-security-flaw-in-website-that-could-leak-personal-data.html Rain has fixed a security flaw in its website that allowed subscribers, who were logged into their online profiles, to view the invoices of other clients. A MyBroadband reader discovered the flaw after Rain emailed a notice to subscribers who had not set a spend limit on their accounts. The company was encouraging its customers to set a spend limit to avoid bill shock. While visiting their Rain dashboard, the subscriber noticed there was an area to download their monthly invoices. Upon clicking on it, they noticed that something was amiss, as the URL of the page to download the invoice was in the form “https://www.rain.co.za/view-invoice?number=76543210”. The number in the URL matched the invoice number. By guessing another valid invoice number, you could access someone else’s invoice. Downloaded invoices contained the name and address of the subscriber, along with the product they were being billed for that month. Issue fixed “We acknowledge the issue that allowed a logged-on customer to speculatively view invoices of other customers,” Rain told MyBroadband. “This was due to a bug in the middleware software which has now been resolved.” Rain said that it has an internal security team and performs regular tests on its systems, in line with best practices. “Rain takes the security of our clients’ data extremely seriously. The moment we become aware of any breach and/or bug in this regard, we immediately act to solve the problem,” the company said. For security-related concerns, Rain said that members of the public can send an email to security () rain co za. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Rain fixes security flaw in website that could leak personal data Destry Winant (Jun 04)