They say “Bad things come in threes.” Well, its 300 million in the case of Airtel, India’s third-largest Telecom Network provider. Airtel said that it has fixed a serious security flaw present in its mobile app’s API that allowed potential threat actors to fetch sensitive user information of any Airtel subscriber.
This security flaw was discovered by a Bengaluru-based independent security researcher named Ehraz Ahmed. He said, “The flaw existed in one of their APIs that allows you to fetch sensitive user information of any Airtel subscriber. It revealed information like first & last name, gender, email, date of birth, address, subscription information, device capability information for 4G, 3G & GPRS, network information, activation date, user type [prepaid/postpaid] and current IMEI number.”
Airtel is yet to confirm whether there was an actual data breach or not, but a spokesperson told BBC, “There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms.”
In a similar finding last month Ahmed had found a security flaw in a popular caller-identification app Truecaller. This bug could have exposed sensitive user data, location, and system information to attackers. The globally available platform is popular in India with 500 million downloads and 150 million active users. According to Ahmed, the malicious script would have allowed execution without user consent.
Truecaller thanked the researcher for reporting the vulnerability and urged all the users to update with the latest version.
“We have partnered with a community of researchers and will shortly announce a bounty program where we, as a transparent and responsible organization, will also reward researchers for their contributions,” the company said in a statement.