In a recent data breach incident, data of over 32 crore subscribers of Airtel were exposed. Read on to know more…
In a recent data breach incident, data of over 32 crore subscribers of Airtel were exposed and became vulnerable due to a serious security flaw in its mobile application. Airtel is the third-largest private telecom provider in India after Vodafone-Idea and Jio with over 300 million subscribers. The app in question is available for both iOS and Android customers and is used to recharge, pay bills, offer detailed information about plans and services and more.
Bengaluru-based independent cybersecurity researcher Ehraz Ahmed, who was the first to observe the technical glitch, said in his blog that the fault existed in Airtel’s API (Application Program Interface) that enabled people to “to fetch sensitive user information of any Airtel subscriber.”. He also released a video demonstrating a script being used to get information from the Airtel’s mobile app’s API.
Ahmed said in his blog “It revealed information like first and last name, gender, email, date of birth, address, subscription information, device capability information for 4G, 3G & GPRS, network information, activation date, user type (prepaid or postpaid) and current IMEI number,”. The IMEI number is a unique number that can be used to identify the device of the user.
According to the blog, every user on Airtel network was at the risk of getting his/her information leaked through this vulnerability. “Every user that is on India’s Airtel network was at risk of getting his information leaked through this vulnerability, and risking over 325.5 million subscribers in India,” Ahmed said.
He provided an exhaustive list of all the information accessible using the automated script. The API allowed users access to the last name, first name, gender, e-mail address, date of birth information and more. Other information included the address, subscription information, 4G capability of the device, network information, and date of activation. The script also allowed access to the type of subscription and IMEI number.
The combination of all this information is quite dangerous as hackers or malicious actors can use this for identity theft. They can also use this to identify and single out the device of a user. The post noted that all Airtel users were are a risk of this data leak. It is unclear if malicious actors knew about the API and were actively using it to steal the data.
According to reports, Airtel confirmed the breach saying that it has fixed the security flaw associated with its application and claimed to have contained the data breach that exposed “sensitive user information”.
“There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice. Airtel’s digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms,” Airtel spokesperson told PTI.
Airtel has not shared any information about the number of users impacted by this security flaw or if any financial information has been compromised.