Southern Water found itself in hot water last week when a security researcher discovered a server side request forgery exploit in their customer service system.
The (quickly rectified) mistake on the Southern Water customer self-service portal allowed the URL to be manipulated in order to display the details of another arbitrary customer account. The target URL of the backend Sharepoint system was included as a parameter on the public URL and could be manipulated to display other accounts.
This type of vulnerability is called a Server Side Request Forgery and happens when a trusted server can be manipulated to request or update data in another server that the attacker is not authorised to access. In this case, it enabled broken access controls to be exploited.
As detailed in the researchers blog post, Southern Water rolled out fixes for the issue within two days of it being reported to them.
Web applications that are published on the Internet should be validated with a Web Application Penetration Test to identify these types of issues.
Learn more about why Penetration Testing Matters.