[BreachExchange] Rain fixes security flaw in website that could leak personal data

[Destry Winant]

https://mybroadband.co.za/news/security/307744-rain-fixes-security-flaw-in-website-that-could-leak-personal-data.html

Rain has fixed a security flaw in its website that allowed
subscribers, who were logged into their online profiles, to view the
invoices of other clients.

A MyBroadband reader discovered the flaw after Rain emailed a notice
to subscribers who had not set a spend limit on their accounts. The
company was encouraging its customers to set a spend limit to avoid
bill shock.

While visiting their Rain dashboard, the subscriber noticed there was
an area to download their monthly invoices.

Upon clicking on it, they noticed that something was amiss, as the URL
of the page to download the invoice was in the form
“https://www.rain.co.za/view-invoice?number=76543210”.

The number in the URL matched the invoice number. By guessing another
valid invoice number, you could access someone else’s invoice.

Downloaded invoices contained the name and address of the subscriber,
along with the product they were being billed for that month.

Issue fixed

“We acknowledge the issue that allowed a logged-on customer to
speculatively view invoices of other customers,” Rain told
MyBroadband.

“This was due to a bug in the middleware software which has now been resolved.”

Rain said that it has an internal security team and performs regular
tests on its systems, in line with best practices.

“Rain takes the security of our clients’ data extremely seriously. The
moment we become aware of any breach and/or bug in this regard, we
immediately act to solve the problem,” the company said.

For security-related concerns, Rain said that members of the public
can send an email to security at rain.co.za.