My fear is malicious guys on this list, but let's just say here's their site, has directory browsing enabled. Check it out

http://212.22.176.89/ncc/mobile/

If they by mistake leave a file with sensitive data (and webmasters sometimes do) thinking nobody can get the file, it can easily be downloaded, no need for any special tools, just browse and download. 

The icing on the cake: Their web requests are done over http, not https, even a kid with wireshark can sniff your PIN while you're at java paying for parking, not to mention the fact that their requests are hard coded to that IP. I'm not a security expert of any kind, and I figured all this out in less than 30 min playing around with it. I can only imagine what the expert penetration testers will uncover.




On 8 February 2015 at 13:21, TheMburu George <themburu@gmail.com> wrote:
Ebu shed more light on this.

On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks <skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched. 

And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.



_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke



-- 
Conservatism is the adherence to the old tried against the new untried.