Airtel has fixed a serious security flaw in its eponymous Airtel mobile app that could have put the data of over 300 million users who avail the company’s telecom services, at risk. The vulnerability was associated with the Airtel app’s API (application programming interface) and could have been exploited by malicious parties to access the personal data of users by just using their mobile number. The security flaw in the Airtel app could provide access to information such as the name of users, emails, birthday, residential address, and the IMEI number of the device on which the app was installed. The flaw has been fixed once it was brought to the telco’s attention.
The security flaw in the Airtel app – which appears to have been relatively easy to find for a hacker with the appropriate technical know-how – was discovered by Bengaluru-based security researcher, Ehraz Ahmad. “It took me 15 minutes to find this flaw”, Ahmad was quoted as saying by BBC. As mentioned above, the flaw was spotted in the Airtel mobile app’s API and could have been misused to access details such as the name of subscriber, their address, birthday, and IMEI number of their phone or tablet on which the app was installed. It could even expose the emails of Airtel customers, leaving them vulnerable to spam and other targeted attacks.
Thankfully, Airtel claims to have fixed the flaw after it was notified about it by BBC. “There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice”, an Airtel spokesperson was quoted as saying by BBC. Airtel, which is currently India’s third-largest telecom operator behind Vodafone Idea and Jio, further added that the company’s digital platforms are highly secure.
“Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms”, the Airtel spokesperson added. However, the company is yet to reveal if there was an actual breach and whether the data of all customers was secure. We have reached out to Airtel, but the company spokesperson told Gadgets 360 that Airtel has nothing new to add.
Ahmed last month had shared a similar API-based flaw for Truecaller with Gadgets 360, a flaw that could have exposed user information to an attacker. In a similar fashion, the flaw was fixed by Truecaller once it was notified by Gadgets 360.