14 DAY TRIAL // A few days ago, we learned that the City of Johannesburg, the largest city of South Africa, had been forced to take down its online services after someone discovered that any user accounts could be accessed simply by changing a number in the site's URL.
“The City of Johannesburg is currently experiencing technical challenges with the online viewing of e-Statements. The problem has been identified and we are working around the clock to rectify the situation. We do not believe this issue is widespread as this matter was identified in good time,” the city stated on its website.
“The City would like to reassure its customers that no information can be manipulated on the City’s Billing System.”
What’s even more interesting is the fact that Johannesburg officials claim they’re “undertaking legal proceedings against those who viewed and posted information unlawfully.”
This basically means they plan on suing the “hacker.”
The problem is that the “hacker” is not by far someone with an evil agenda. Instead, he’s the chief technology officer at Bid or Buy, Gerd Naschenweng.
The expert stumbled upon the vulnerability while searching for an electronic copy of his account statement, ITWeb reports.
He immediately tried to report the issue, but without success. At the City of Johannesburg call center they didn’t understand the gravity of the issue, and his emails remained unanswered.
He hasn’t been charged with anything, at least not yet.
“I believe any criminal charges will have no merit or grounds, because the information is publicly available. Anyone out there would have had access to that information. Just because I was the person to come across it and tried to inform the COJ of the issue, they want to file criminal charges,” Naschenweng said.
Unfortunately, this is yet another example that in many cases authorities can’t make the difference between a security researcher and a cybercriminal.
On the other hand, even the US is having difficulties in differentiating the two, so it’s no wonder that less developed countries such as South Africa would jump to name security experts as malicious hackers.