ITWire

According to Tim March's blog around a week ago, the good folks at City of Charles Sturt Council (located just north west of the centre of Adelaide) imposed a parking infringement notice upon an 'acquaintance' of his. It was for $320 for parking in a disabled space (silly lad!).

Out of the goodness of their hearts the council provided a link where this acquaintance could make payment with his credit card. All he need supply was the six-digit "Ticket Number" included on the "Expiation Notice."

All well and good.

Or not.

What became immediately obvious, as he perused the "eight-by-ten colour glossies with a paragraph on the back of…" sorry, wrong song. What became immediately obvious as he checked the details, including a time-stamped photo of his offending vehicle was that the "Ticket Number" was clearly part of the URL; indeed he had supplied nothing else when requesting access to pay the fine.

Being the enterprising lad that he was, and in the vein of Patrick Webster and his exploits at First State Super, he incremented the URL by one. Lo and behold, someone else's infringement details sprang into view. For the voyeuristic, obfuscated examples of his and other details are provided on the blog. This is what is known as an "Insecure Direct Object Reference" and is an error that regularly features on the Open Web Application Security project (OWASP) list - it was number four on their top ten web security risks for 2010.

At 2:06pm on August 23rd, March tweeted the council, "There is a serious security vulnerability in your fines payment website that leaks personal data. Please contact me." 14 minutes later, the council responded, "Could you please either phone us on 8408 1111 or email This email address is being protected from spambots. You need JavaScript enabled to view it. to discuss the issue." Six minutes after that, March replied, "Who is the best contact person?"

The council never replied.

It would be a simple matter to write a script to trawl through the entire set of outstanding infringement notices (testing by iTWire showed that attempts to access non-current Ticket Numbers resulted in an error message) and using some form of OCR, digitise the clearly-photographed number plate. This will make details of the 'crime' readily available to all and sundry.

There is also an expectation that this information is private between the council and the infringing driver; but this too is subverted. In fact with this thought in mind, we should look at the Commonwealth Privacy Act; the council is in clear breach of National Privacy Principle 4.1. According to the summary, NPP 4.1 "provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure."

The City of Charles Sturt Council has been contacted and we await their response with interest.