Airtel fixed a security flaw with its mobile app that could expose data of over 32 crore subscribers. The flaw resides with their API used to fetch sensitive data of Airtel subscribers.
The bug was reported by an independent security researcher Ehraz Ahmed, he claims that “sensitive user information” can be exposed. Airtel confirmed the bug and it was addressed.
“There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice,” said Airtel spokesperson told the BBC.
Information Disclosure Vulnerability
The security flaw could allow an attacker to fetch sensitive data of the subscribers, by having the details attackers can launch targeted attacks.
Following are the details that can be revealed includes “First & Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, User Type [Prepaid/Postpaid] And Current IMEI number.”
The vulnerability poses risk to every Airtel network user, a possible chance of getting their information exposed.
Ahmed also shared a video that demonstrates, how the script made by him requests the API and fetches the user data.
Airtel spokesperson said, “Airtel’s digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms.”
Airtel is the third-largest provider next to Vodafone and Jio with more than 411.42 million subscribers.