Airtel has suffered a serious security flaw in its Airtel mobile app, which could have kept over 300 million of its subscriber’s information at risk. However, the company has fixed this issue.
The assailability was with the application programming interface (API) of the Airtel app and would have been misused by the malicious people to obtain the personal information of its users by just using their mobile number.
This security flaw of the application might have provided access to the information such as the IMEI number of the device in which the Airtel app is installed, the user’s name, his email id, date of birth of the user, and his residential address.
Ehraz Ahmed, a Bengaluru-based security researcher, has discovered this security flaw in the app, which is quite easy to find for any hacker with appropriate technical knowledge.
Ahmed said, “In one of their API, the flaw exists, which lets you obtain sensitive information of any of the Airtel subscribers.
It can leak information like First & Last Name, Email id, Gender, Date of Birth, Subscription Information, Address, Network Information, Device Capability information for 4G, 3G & GPRS, User Type [Prepaid/Postpaid], Activation Date, and Current IMEI number.”
Ehraz Ahmed has published a case study regarding this issue on his website and also a video on the proof of concept.
Ahmed also stated that the API was used in Airtel’s mobile app to obtain user information. The vulnerability, therefore, did not have any impact on the users using Airtel’s website. He also said that it was one of the most prominent findings in India so far, crossing 325 million affected users.
Airtel has fixed this flaw after getting notified by BBC. The spokesperson from Airtel said, “There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice.” Still, Airtel is yet to announce if there was a substantive breach and if the data of all subscribers was secure.