Ster-Kinekor recently enacted drastic changes on their website, which to be quite honest were awful. Not only is their new Vista-driven website less user friendly, but when the changes were first introduced, not much worked and users were left to actually go to the cinema to book a seat – or face the prospects of the faulty website booking tickets for some rom-com in Pofadder rather than the action flick you wanted to see in your local Imax theatre.
However, while the experience was a massive PR nightmare for Ster-Kinekor, it turns out that there may have been bigger reasons for them wanting to get the new site up and running so quickly and it was to avert an even bigger debacle – that of compromised security.
South African developer Matt Cavanaugh, who goes by the name Roguecode, was able to discover a security flaw in Ster-Kinekor’s old website and gained access to almost 6.7 million users’ data. Obviously a security compromise like that could cripple a company, but thankfully Cavanugh wasn’t in it for the stolen data and alerted Ster-Kinekor of the flaw last year rather than do anything malicious with it.
Cavanaugh gave a presentation at DevConf, where he shared the news of how he was able to gain access to details including names, addresses, phone numbers, and plain text passwords, subsequently also posting it on his personal blog:
This wasn’t a hard thing to find at all… it was just pure negligence. Not only did the API hand off details to anyone, they were also storing passwords in their database in plain text, and returning those to the client.
According to Cavanaugh, the bug in the backend API was found via the website’s Flash bits. He admits to not having substantial knowledge of Flash, but that the bug was so rudimentary it didn’t matter.
It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge — which is sort of what makes this scary. I had no idea how Flash worked — I still don’t — or if it is possible to pull it apart. So I Googled ‘Flash decompiler’.
What makes it worse is that it wasn’t any sophisticated hacking by Cavanaugh that led to the discovery, but some basic flaws, which allowed him to gain access to the compromised data. It’s actually surprising how easy it was for him to extract the data, leaving most wondering if someone had already found the data and done something malicious with it. Fortunately credit card details were not clearly available, but still having someone know your address and contact numbers is bad enough.
Obviously SterKinekor wanted to keep it under wraps and as they have now migrated over to their new more secure system they are now willing to talk about it. Following Cavanaugh’s announcement, they released released a statement of their own:
Since being made aware of this state of affairs by Mr. Cavanagh, no further breaches have been detected. Ster-Kinekor was assured that our customers had not been exposed to ongoing harm and that their data had remained safe.
The company went on to say its new multi-million-Rand world-class system offers all customers “the surety of knowing that the company takes the responsibility of ensuring the security of their personal information extremely seriously”.
Ster-Kinekor seems confident that no data was used maliciously, but to be on the safe side, I would advise that if you had any site that shared the same password as your Ster-Kinekor account, that you perhaps go ahead and change it anyway. So next time you are using the Ster-Kinekor website and it loses your booking, remember, that at least your data is secure and that it could’ve been a whole lot worse.