Airtel has fixed a serious security flaw in its eponymous Airtel mobile app that could have put the data of over 300 million users who avail the company's telecom services, at risk. The vulnerability was associated with the Airtel app's API (application programming interface) and could have been exploited by malicious parties to access the personal data of users by just using their mobile number. The security flaw in the Airtel app could provide access to information such as the name of users, emails, birthday, residential address, and the IMEI number of the device on which the app was installed. The flaw has been fixed once it was brought to the telco's attention.
The security flaw in the Airtel app - which appears to have been relatively easy to find for a hacker with the appropriate technical know-how - was discovered by Bengaluru-based security researcher, Ehraz Ahmed. In a statement to Gadgets 360, Ahmed said, "The flaw exists in one of their API that allows you to fetch sensitive user information of any Airtel subscriber. It revealed information like First & Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, User Type [Prepaid/Postpaid] And Current IMEI number." He has also published a case study, and a proof of concept video, as seen below.
As mentioned above, the flaw was spotted in the Airtel mobile app's API and could have been misused to access details such as the name of subscriber, their address, birthday, and IMEI number of their phone or tablet on which the app was installed. It could even expose the emails of Airtel customers, leaving them vulnerable to spam and other targeted attacks. Ahmed also added that the API in question was used in Airtel's mobile app to fetch user information. The vulnerability, thus, didn't impact users through Airtel's website. He also says that it was one of the biggest findings in India so far — crossing 325 million affected users.
Thankfully, Airtel claims to have fixed the flaw after it was notified about it by BBC. “There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice”, an Airtel spokesperson was quoted as saying by BBC. Airtel, which is currently India's third-largest telecom operator behind Vodafone Idea and Jio, further added that the company's digital platforms are highly secure.
“Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms”, the Airtel spokesperson added. However, the company is yet to reveal if there was an actual breach and whether the data of all customers was secure. We have reached out to Airtel, but the company spokesperson told Gadgets 360 that Airtel has nothing new to add.
Ahmed last month had shared a similar API-based flaw for Truecaller with Gadgets 360, a flaw that could have exposed user information to an attacker. In a similar fashion, the flaw was fixed by Truecaller once it was notified by Gadgets 360.
With additional inputs from Jagmeet Singh