• Home
  • Telecom
  • Telecom News
  • Tata Sky, Croma Site Vulnerabilities Exposed Sensitive Customer Data of Millions of Customers; Fixed Now

Tata Sky, Croma Site Vulnerabilities Exposed Sensitive Customer Data of Millions of Customers; Fixed Now

Cybersecurity researcher Rahil Bhansali discovered the vulnerabilities existed on the Tata Sky and Croma websites.

Share on Facebook Tweet Snapchat Share Reddit Comment
Tata Sky, Croma Site Vulnerabilities Exposed Sensitive Customer Data of Millions of Customers; Fixed Now

Photo Credit: Pexels

The vulnerabilities could have allowed hackers to steal Tata Sky and Croma data for phishing attacks

Highlights
  • Tata Sky site had a loophole to let hackers obtain subscriber details
  • The issue was fixed after the researcher reported it online
  • Croma also fixed the vulnerability upon it was reported on the Web

Tata Sky and Croma, the entities owned by Tata Group, exposed the data of millions of their customers due to security vulnerabilities, according to a cybersecurity researcher. The issues allowed bad actors to access sensitive data including the full names, phone numbers, addresses, date of birth, and email IDs of both Tata Sky and Croma customers, by leveraging the loopholes existing in the application programme interfaces (APIs) on their websites. Both companies fixed the vulnerabilities after these were reported on the Web.

Cybersecurity researcher Rahil Bhansali discovered the vulnerabilities existed on the Tata Sky and Croma sites. He was able to understand their extent in collaboration with his colleague Ankit Pandey.

Shortly after discovering and finding the scope of the vulnerabilities, Bhansali wrote about them on Medium. The researcher said the vulnerability affecting Tata Sky subscribers existed on its site exposed its subscribers' data that included their names, gender, date of birth, email IDs, registered mobile numbers and alternative phone numbers, and mailing addresses.

Apart from the personal information of subscribers, the researcher noted that the vulnerability exposed subscription details including the subscriber ID, subscription date, transaction history since first subscription, and the number of set-top boxes active and inactive by the subscriber.

The researcher mentioned in his Medium post that the data for over 22 million Tata Sky subscribers was accessible through the vulnerability by anyone who knows coding and has the knowledge to work with APIs. It was, however, unclear whether the issue already allowed a bad actor to access user data.

Bhansali was able to understand the flaw after visiting Tata Sky's website to do a quick recharge by entering his phone number. “To my surprise, it showed me my name, subscriber id, balance and subscription end date without even any form of login,” he wrote.

The researcher found the exposure through the vulnerability by running a script of using different phone numbers. Upon understanding the flaw, he spoke with Tata Sky CEO Harit Nagpal to elaborate the problem and that reportedly resulted in the fix.

Bhansali, however, noted that one issue still remained where the subscribers' name was still accessible for any mobile number.

“I've spent time in checking other providers as well like Jio, Vodafone, Airtel — and they've all prevented from implementing such user experiences presumably because of similar security risks,” the researcher said.

A spokesperson from Tata Sky was not immediately available at the time of filing this story to provide a comment on the fix.

Update, 2:46pm: A Tata Sky spokesperson noted: "We have proactive monitoring and security measures which make sure that if a single source tries to extract multiple subscriber records, using whatever means, one record at a time or many via a software, automated alerts are generated to prevent a potential data theft attempt." You can see the full statement at the bottom of this story.

In addition to the vulnerability existing on the Tata Sky site, Bhansali found a similar issue with the Croma site wherein he was able to find the name, registered mobile number, mailing address, and offline and online transaction history of customers purchasing goods from the retail chain.

Ritesh Ghosal, Chief Marketing Officer at Infinity Retail, which operates under the brand Croma, informed Gadgets 360 that the reported issue had been fixed.

“We have reviewed the concerns and detailed findings shared by Mr. Bhansali and have put in place further security measures to add an additional layer of security in place across our systems with immediate effect,” he said in a response over email.

The personal information exposed by vulnerabilities such as the ones found on the Tata Sky and Croma sites could be used to run phishing attacks and target individuals with scam emails and text messages.

"We at Tata Sky are conscious of the privacy of the details of our subscribers and take utmost care to protect it from being exploited by an outsider for their own commercial purpose.

We have proactive monitoring and security measures which make sure that if a single source tries to extract multiple subscriber records, using whatever means, one record at a time or many via a software, automated alerts are generated to prevent a potential data theft attempt.

We have not had any data theft issues in the distant or recent past which could materially impact our customers.

We keep reviewing our policies and data security systems regularly, to stay one step ahead of newer risks which might emerge from time to time.

As a matter of abundant caution we did carry out a special drill to reassure ourselves that our alarms were still working and there is no possibility of a breach of the nature suggested in the blog. " - Tata Sky Spokesperson


What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
YouTube.com Now Available to Be Installed as a Progressive Web App
iPhone 12, MagSafe Accessories May Interfere With Pacemakers, Medical Implants, Cautions Apple
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com