Southern Water customers could view others' personal data by tweaking URL parameters
A quick lesson in how not to deploy Sharepoint as a 'my account' file retrieval system
Southern Water - British supplier of the liquid of life - botched its internal Sharepoint implementation so badly that a customer was able to view other people’s account details.
Reg reader Chris H discovered that the way Southern Water had set up Sharepoint to host customer information as a “your account” style section of their website exposed URLs that could be tweaked to view other people’s account information.
“Unfortunately, a vulnerability in this management area allowed any logged in customer to view bills and documents from other customers, as well as retrieve authentication tokens which allowed for direct API access to their internal billing SharePoint site,” wrote Chris in a Medium blog post about the problem.
PDFs loaded through the customer portal included a URL string as so:
Some tinkering with curl and default Sharepoint URL schemas returned “some links to other customers’ correspondence,” as Chris put it.
“You should never allow users to make unknown authenticated calls against internal systems,” he wrote. No authentication was enforced against those Sharepoint URLs, meaning Chris was able to view another customer’s “full name, address, customer account number, payment reference number, bill and payment dates, account balance, payment amount, bill amount, meter details and meter readings.”
Southern Water to splash £50m on IT services to purify systems of planning, governance and internal controlsREAD MORE
As Chris pointed out, tweaking public URLs to view other information on a public server comes under the general IT security heading of "server side request forgeries", more details of which are explained by the Open Web Application Security Project here. While the word "forgery" makes requesting a resource hosted on a public server sound like breaking into Fort Knox, doing so is not illegal in the UK or most other Western democracies.
The problem has since been fixed, with Southern Water telling The Register: “We take the protection of customer data very seriously, we rigorously test our systems and have strong measures in place to safeguard customer information.”
Chris also showed us emails from Southern Water in which the company thanked him for alerting them to the blunder – and assured him it was not “currently” looking to take legal action against him, something a company PR rep had mentioned in a phone conversation with The Register.
The practice of threatening people who make responsible disclosures of security cockups has long passed out of the IT industry in favour of bug bounty schemes and proper pentesting; perhaps other industries are still playing catchup. ®