In yet another massive data breach incident, data of over 32 crore subscribers of telecom major Airtel were exposed. The data leaked due to a serious security flaw in the Airtel mobile app. Ehraz Ahmed, a Bengaluru-based researcher, who first noticed the fault, shared the details in a post on December 6, 2019. As per the post, a faulty Airtel API allowed people to fetch sensitive user information of any Airtel subscriber. The sensitive allowed anyone to essential information such as the name, email ID, and more.
Airtel app flaw details
According to reports, Airtel confirmed the breach saying that it has fixed the security flaw associated with its app. Ahmed also posted a video, which shows a script being used to fetch the information from the Airtel app’s API. He provided an exhaustive list of all the information accessible using the automated script. The API allowed users access to the last name, first name, gender, e-mail address, date of birth information and more. Other information included the address, subscription information, 4G capability of the device, network information, and date of activation. The script also allowed access to the type of subscription and IMEI number.
Watch: Top 5 smartphones to launch in December 2019
The combination of all this information is quite dangerous as hackers or malicious actors can use this for identity theft. They can also use this to identify and single out the device of a user. The post noted that all Airtel users were are a risk of this data leak. It is unclear if malicious actors knew about the API and were actively using it to steal the data.
For some context, Airtel is the third-largest telecom service provider in the country in terms of subscribers. Vodafone-India stands on the top spot with Reliance Jio following on the second spot. Airtel seems to have taken action to fix the flaw in the app. However, opening an API open is equally dangerous.
With inputs from IANS.