• Home
  • Apps
  • Apps News
  • SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

SonyLIV has over 100 million downloads on Google Play.

Share on Facebook Tweet Snapchat Share Reddit Comment
SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

SonyLIV has assured that the data of its subscribers remain safe and protected

Highlights
  • SonyLIV had the flaw in one of its APIs used for login purposes
  • The flaw could be used to perform social engineering and other attacks
  • SonyLIV website and apps were affected by the vulnerability

SonyLIV has fixed a security flaw that could have allowed attackers to fetch sensitive user information such as profile picture, email address, date of birth, name, and phone number of its registered users. The flaw that existed in one of the APIs of the over-the-top (OTT) platform owned by Sony Pictures Networks could have been exploited simply using the email addresses of registered users. The platform uses the API to perform backend tasks such as providing the login option to existing users and fetching their account details. SonyLiv confirmed the fix to Gadgets 360 and assured that the data of its subscribers remain safe and protected.

“A bug that could have affected accounts using social media IDs for logging onto SonyLIV has been identified and removed. Data of all our subscribers remain safe and securely protected,” a SonyLIV spokesperson said in a prepared statement emailed to Gadgets 360.

The flaw was discovered by Bengaluru-based security researcher Ehraz Ahmed within the login process of SonyLIV. He showed a proof-of-concept (PoC) to Gadgets 360 last week. By passing a cURL request manually, Gadgets 360 was able to verify the vulnerability and notified SonyLiv of its its existence.

The IT team at SonyLIV started working on the fix soon after the issue was highlighted by Gadgets 360 and took a few days to make sure that it's been applied across all the apps and Web platforms. Since the flaw existed in the API designed for login functions, it had affected SonyLiv's mobile apps as well as its website.

Ahmed while speaking with Gadgets 360 underlined that finding the flaw was quite easy since SonyLIV didn't use any major security rules to protect backdoor access.

“The attackers could fetch sensitive user information in a few minutes using the vulnerability,” the researcher said.

After gaining access to the security loophole, a bad actor was required to just use the email addresses of one of the signed in SonyLIV users to gain their sensitive information. Additionally, the researcher explained that the vulnerability could be used to acquire the authentication token to gain full access to the user account. This means that the attackers would be able to log in to the user account using the authentication token by exploiting the reported flaw. The token could also be used to access other APIs of SonyLIV.

“It could cause a massive data breach, and the flaw was a risk to all the registered users as it could leak their sensitive information on the Web,” Ahmed told Gadgets 360. “The attackers could use the information fetched to even perform social engineering and other attacks.”

The researcher developed a script that was sending a request to the affected API and fetched user information along with the authentication token. He also created a video and published a case study detailing the flaw that both were unlisted and private until the fix was confirmed to Gadgets 360.

 

SonyLIV provides access to various TV shows that broadcast on channels owned by Sony Pictures Networks. Also, the platform, launched back in January 2013, provides access to live sports matches and live channels such as Animax HD, Sony BBC Earth, and Food Food among others. A paid subscription to SonyLIV is also available starting at Rs. 99 a month that brings access to live TV, premium shows, movies, and sports events.

The Android app of SonyLIV has over a 100 million downloads, as per the listing available on Google Play. However, the total number of registered users hasn't been disclosed.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Google Fined EUR 150 Million by France Over Search Ads
Wakanda Free Trade Forever? Fictional Nation Removed From US Trade List
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com