NZ: Christchurch transport card flaws expose identities, grant free bus rides
Darren Pauli reports:
Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free.
The security flaws in the contactless bus ticketing system — some known to operator ECan since 2009 — allowed an attacker with trivial effort to lookup the details of travellers via the Metro transport website.
The site also lacked identity validation and mechanisms to prevent bots allowing an attacker to lookup and register users’ Metro cards at scale.
Read more on SC Magazine.