Airtel its Flaw in Mobile App Could Have Exposed Data of Millions 1i5x4g Issues Fix

The security flaw in Airtel’s mobile app could expose details such as name, address, emails, and IMEI number. 2rg67

By Nadeem Sarwar | Updated: 7 December 2019 11:56 IST

Airtel its Flaw in Mobile App Could Have Exposed Data of Millions, Issues Fix

The security flaw was discovered by security researcher Ehraz Ahmed 461q2e

Highlights

Airtel has fixed the security flaw linked with testing APIs in the app
Hackers could exploit it to access names, emails, and IMEI number
Airtel has not disclosed if the security flaw was exploited before fixing

ment

Airtel has fixed a serious security flaw in its eponymous Airtel mobile app that could have put the data of over 300 million s who avail the company's telecom services, at risk. The vulnerability was associated with the Airtel app's API (application programming interface) and could have been exploited by malicious parties to access the personal data of s by just using their mobile number. The security flaw in the Airtel app could provide access to information such as the name of s, emails, birthday, residential address, and the IMEI number of the device on which the app was installed. The flaw has been fixed once it was brought to the telco's attention.

The security flaw in the Airtel app - which appears to have been relatively easy to find for a hacker with the appropriate technical know-how - was discovered by Bengaluru-based security researcher, Ehraz Ahmed. In a statement to Gadgets 360, Ahmed said, "The flaw exists in one of their API that allows you to fetch sensitive information of any Airtel subscriber. It revealed information like First & Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, Type [Prepaid/Postpaid] And Current IMEI number." He has also published a case study, and a proof of concept video, as seen below.

As mentioned above, the flaw was spotted in the Airtel mobile app's API and could have been misused to access details such as the name of subscriber, their address, birthday, and IMEI number of their phone or tablet on which the app was installed. It could even expose the emails of Airtel customers, leaving them vulnerable to spam and other targeted attacks. Ahmed also added that the API in question was used in Airtel's mobile app to fetch information. The vulnerability, thus, didn't impact s through Airtel's website. He also says that it was one of the biggest findings in India so far — crossing 325 million affected s.

Thankfully, Airtel claims to have fixed the flaw after it was Jio, further added that the company's digital platforms are highly secure.

“Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms”, the Airtel spokesperson added. However, the company is yet to reveal if there was an actual breach and whether the data of all customers was secure. We have reached out to Airtel, but the company spokesperson told Gadgets 360 that Airtel has nothing new to add.

Ahmed last month had shared a similar API-based Truecaller once it was notified by Gadgets 360.

With additional inputs from Jagmeet Singh

Comments

For the latest reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.