As The Register reports, UK water service supplier Southern Water made it all too easy for unauthorised parties to view customers’ billing documents and account details.
A chap called Chris H uncovered the problem, and posted a blog about how the utility company allowed any logged-in customer to view bills and documents from other customers.
As Chris describes in his blog post, as a customer of Southern Water he is able to log into his account and view recent correspondence sent to him about his water bill.
Sign up to our newsletterSecurity news, advice, and tips.
This includes being able to view his Direct Debit statement.
Clicking on the link takes Chris, as you would expect, to a PDF of the document.
Where’s the harm in that you might wonder?
Well, take a look – like Chris did – at the URL.
Chris found that the PDF document is actually stored on Southern Water’s internal SharePoint database, and the link to that document is used as a parameter in the URL visible within the customer’s browser.
https://youraccount.southernwater.co.uk/eservices/getpdfcorrespondence?correspondenceUrl=https://[redacted].sharepoint.com/sites/[redacted]/12/09_12_0_s1/[redacted].pdf
With a little twiddling of the parameters in the URL, it was easy to access bills belonging to other people – including their full names, addresses, cus ..
Support the originator by clicking the read the rest link below.
