SonyLIV has fixed a security flaw that could have allowed attackers to fetch sensitive user information such as profile picture, email address, date of birth, name, and phone number of its registered users. The flaw that existed in one of the APIs of the over-the-top (OTT) platform owned by Sony Pictures Networks could have been exploited simply using the email addresses of registered users. The platform uses the API to perform backend tasks such as providing the login option to existing users and fetching their account details. SonyLiv confirmed the fix to Gadgets 360 and assured that the data of its subscribers remain safe and protected.
“A bug that could have affected accounts using social media IDs for logging onto SonyLIV has been identified and removed. Data of all our subscribers remain safe and securely protected,” a SonyLIV spokesperson said in a prepared statement emailed to Gadgets 360.
The flaw was discovered by Bengaluru-based security researcher Ehraz Ahmed within the login process of SonyLIV. He showed a proof-of-concept (PoC) to Gadgets 360 last week. By passing a cURL request manually, Gadgets 360 was able to verify the vulnerability and notified SonyLiv of its its existence.
The IT team at SonyLIV started working on the fix soon after the issue was highlighted by Gadgets 360 and took a few days to make sure that it's been applied across all the apps and Web platforms. Since the flaw existed in the API designed for login functions, it had affected SonyLiv's mobile apps as well as its website.
Ahmed while speaking with Gadgets 360 underlined that finding the flaw was quite easy since SonyLIV didn't use any major security rules to protect backdoor access.
“The attackers could fetch sensitive user information in a few minutes using the vulnerability,” the researcher said.
After gaining access to the security loophole, a bad actor was required to just use the email addresses of one of the signed in SonyLIV users to gain their sensitive information. Additionally, the researcher explained that the vulnerability could be used to acquire the authentication token to gain full access to the user account. This means that the attackers would be able to log in to the user account using the authentication token by exploiting the reported flaw. The token could also be used to access other APIs of SonyLIV.
“It could cause a massive data breach, and the flaw was a risk to all the registered users as it could leak their sensitive information on the Web,” Ahmed told Gadgets 360. “The attackers could use the information fetched to even perform social engineering and other attacks.”
The researcher developed a script that was sending a request to the affected API and fetched user information along with the authentication token. He also created a video and published a case study detailing the flaw that both were unlisted and private until the fix was confirmed to Gadgets 360.
SonyLIV provides access to various TV shows that broadcast on channels owned by Sony Pictures Networks. Also, the platform, launched back in January 2013, provides access to live sports matches and live channels such as Animax HD, Sony BBC Earth, and Food Food among others. A paid subscription to SonyLIV is also available starting at Rs. 99 a month that brings access to live TV, premium shows, movies, and sports events.
The Android app of SonyLIV has over a 100 million downloads, as per the listing available on Google Play. However, the total number of registered users hasn't been disclosed.