Grand Rapids Recycling and Refuse Accounts compromised


Grand Rapids Recycling and Refuse is a trash service I pay for through the city of Grand Rapids. They have a web application that can be accessed using your account number and assigned pin. This website contains information about the customer, like full name, address, personal cell phone number, personal email address, current account balance, trash pickup history, and your billing statement which contains your account number and plain text pin (which is used as the accounts password).

I wanted to take a closer look at the application and see how it works. Using Burp Suite, I intercepted the requests being made from the app.

I noticed that there was a section of the application where you could click “View PDF” and it would download a PDF of your billing statement.

ViewPDFButton

The PDF looks like the picture below once it is downloaded and opened.

PDF

This shows personal information which also includes the account number and pin which are used to log on to my profile. (They are blacked out but you can see where they would be)

Below is the GET request that the application sends to obtain the PDF. I thought it looked suspicious so I took a closer look using Burpsuite.

PDFIntercept

Here I can see an ID and a userID being passed through that seem to correlate to a PDF ID and my own userID.

With permission from a family friend I used their account information (ID and userid) to see if I could access their PDF from my account.

I then try switching my ID and userid number provided with my friend’s userID and ID number.

FriendsPDFInfo

To my surprise, I was then provided with their PDF statement.

PDFOfFriend

This vulnerability could allow someone with malicious intent to log onto customers’ accounts and collect lots of personal information from people all over Grand Rapids who use this service.

Disclosure Timeline

7/15/2015: Contacted the Refuse email through my personal account in the application.

7/16/2015: Received reply back from Racine Elliott letting me know she was passing it on to her supervisor.

7/24/2015: Sent another email to Racine asking for an update.

7/24/2015: Received an email back saying she had heard nothing but would pass the message onto her supervisor again.

8/8/2015: Received an email from Bob Swain stating they did not plan to change anything with the current web portal because they may be moving to a different vendor in the near future. He also stated he believed the risk to be minimal for customers.