Old Ster-Kinekor site had a security flaw that exposed users’ private data

3 min read
9

Ster-Kinekor recently enacted drastic changes on their website, which to be quite honest were awful. Not only is their new Vista-driven website less user friendly, but when the changes were first introduced, not much worked and users were left to actually go to the cinema to book a seat  – or face the prospects of the faulty website booking tickets for some rom-com in Pofadder rather than the action flick you wanted to see in your local Imax theatre.

However, while the experience was a massive PR nightmare for Ster-Kinekor, it turns out that there may have been bigger reasons for them wanting to get the new site up and running so quickly and it was to avert an even bigger debacle – that of compromised security.

South African developer Matt Cavanaugh, who goes by the name Roguecode, was able to discover a security flaw in Ster-Kinekor’s old website and gained access to almost 6.7 million users’ data. Obviously a security compromise like that could cripple a company, but thankfully Cavanugh wasn’t in it for the stolen data and alerted Ster-Kinekor of the flaw last year rather than do anything malicious with it.

Cavanaugh gave a presentation at DevConf, where he shared the news of how he was able to gain access to details including names, addresses, phone numbers, and plain text passwords, subsequently also posting it on his personal blog:

This wasn’t a hard thing to find at all… it was just pure negligence. Not only did the API hand off details to anyone, they were also storing passwords in their database in plain text, and returning those to the client.

According to Cavanaugh, the bug in the backend API was found via the website’s Flash bits. He admits to not having substantial knowledge of Flash, but that the bug was so rudimentary it didn’t matter.

It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge — which is sort of what makes this scary. I had no idea how Flash worked — I still don’t — or if it is possible to pull it apart. So I Googled ‘Flash decompiler’.

What makes it worse is that it wasn’t any sophisticated hacking by Cavanaugh that led to the discovery, but some basic flaws, which allowed him to gain access to the compromised data. It’s actually surprising how easy it was for him to extract the data, leaving most wondering if someone had already found the data and done something malicious with it. Fortunately credit card details were not clearly available, but still having someone know your address and contact numbers is bad enough.

Obviously SterKinekor wanted to keep it under wraps and as they have now migrated over to their new more secure system they are now willing to talk about it. Following Cavanaugh’s announcement, they released released a statement of their own:

Since being made aware of this state of affairs by Mr. Cavanagh, no further breaches have been detected. Ster-Kinekor was assured that our customers had not been exposed to ongoing harm and that their data had remained safe.

The company went on to say its new multi-million-Rand world-class system offers all customers “the surety of knowing that the company takes the responsibility of ensuring the security of their personal information extremely seriously”.

Ster-Kinekor seems confident that no data was used maliciously, but to be on the safe side, I would advise that if you had any site that shared the same password as your Ster-Kinekor account, that you perhaps go ahead and change it anyway. So next time you are using the Ster-Kinekor website and it loses your booking, remember, that at least your data is secure and that it could’ve been a whole lot worse.

Last Updated: March 15, 2017

Craig Risi

A man of many talents, but no sense how to use them. I could be discovering the cure for aids or finding ways to achieve world peace, but I'd rather be watching movies and writing here instead.

  • Umar

    Are you shitting me….
    “storing passwords in their database in plain text”

  • lol @ multi-million-Rand world-class system

  • Craig “CrAiGiSh” Dodd

    I’m more worried about how expensive going to the movies has now become.

    I remember how the queue used to be out the door and the cinemas where jam packed.

    Now it costs an arm and a leg just to see a movie and has become more of a luxury than a fun time.

    If movies become stream-able on release, then that will be the end of cinemas.

    • Jonah Cash

      Took my wife, daughter and my brothers two sons to watch Lego Batman the other day… R750 gone!! That is the last time I give him time alone with his wife. It just costs too much o_O

  • For the Emperor!

    The new system sucks. I book online, only to get to the cinema and having to stand in a bloody queue to collect my tickets because the self-service thingies don’t work for redemption anymore! Imagine I was barely in time for my movie, this happens and I have to stand in line with a throng of people buying bloody popcorn?

  • Magoo

    Numetro masterrace!

  • Psycadelic Bear

    “multi-million-Rand world-class system”… so it cost them the profit of 2 medium popcorns??

  • HvR

    Hardly a surprising, you are talking about a company that was still running DOS for their booking system in the mid 2000’s

Check Also

Injustice 2 Championship Series sees local fighting game fans battle for R60 000

South Africa's fighters are getting another shot at competing with the newly announce Inju…