07 Dec 2019
Leading telecom operator Airtel risked the personal data of its subscribers, more than 300 million people, due to a critical security flaw in its mobile app.
The issue existed in the Application Program Interface or API of the Airtel app but was prevented from being exploited after the folks at BBC alerted the company.
Here's all about it.
API issue opened way to steal personal information
The security flaw, discovered by independent security researcher Ehraz Ahmad, was associated with an API being tested within the Airtel app.
The issue opened a way for any malicious party to steal the personal information of more than 300 million Airtel subscribers, starting from their names, emails, and birthdate to residential addresses and IMEIs, using nothing but mobile numbers.
Ahmed found the bug in just 15 minutes
Ahmed told BBC that it took him just 15 minutes to find this bug and any person with basic technical know-how could have done the same with ease.
Plus, along with subscriber information, the issue also revealed information like "Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, [and] User Type [Prepaid/Postpaid]," Ahmed added while detailing the bug.
This could have triggered a wave of spam, phishing attacks
As the bug triggered with mobile numbers, a potential attacker could have easily used randomly generated Airtel numbers to mine the personal details of many of Airtel's 300 million+ subscribers.
Then, using those details, they could have carried out planned phishing attacks to trick users into giving away their money or even more confidential information, like banking or credit/debit card details.
Thankfully, Airtel patched the flaw on time
While the issue posed a major security threat, Airtel was able to issue a fix without any damage.
"There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice," an Airtel spokesperson told the BBC while stressing on the company's efforts to protect the privacy of its subscribers.
Commitment to keep products secure
"Airtel's digital platforms are highly secure," the Airtel spokesperson added in the statement. "Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms."