Security News > 2020 > August > Southern Water customers could view others' personal data by tweaking URL parameters
Southern Water - British supplier of the liquid of life - botched its internal Sharepoint implementation so badly that a customer was able to view other people's account details.
Reg reader Chris H discovered that the way Southern Water had set up Sharepoint to host customer information as a "Your account" style section of their website exposed URLs that could be tweaked to view other people's account information.
"Unfortunately, a vulnerability in this management area allowed any logged in customer to view bills and documents from other customers, as well as retrieve authentication tokens which allowed for direct API access to their internal billing SharePoint site," wrote Chris in a Medium blog post about the problem.
As Chris pointed out, tweaking public URLs to view other information on a public server comes under the general IT security heading of "Server side request forgeries", more details of which are explained by the Open Web Application Security Project here.
The problem has since been fixed, with Southern Water telling The Register: "We take the protection of customer data very seriously, we rigorously test our systems and have strong measures in place to safeguard customer information."