SUMMARY
The vulnerability was first discovered by security researcher Ehraz Ahmed
Ahmed found a security flaw in an application program Interface (API) of Airtel’s app
Personal information such as users’ name, gender, email, address, etc was at risk because of the bug
In a major incident of a security breach, telecom giant Airtel was found to contain a security flaw, which made sensitive user information of any Airtel subscriber vulnerable. However, the company claimed that it fixed the flaw after it was brought to its notice.
The vulnerability, which was present in Airtel’s mobile application, was first discovered by an independent security researcher Ehraz Ahmed. According to a TOI report, Ahmed found a security flaw in an application program Interface (API) of Airtel’s mobile app, which is said to be behind the security breach.
In his case study on Airtel’s security flaw, Ahmed said that the flaw existed in one of their API. Interestingly, Ahmed has also published a proof of concept video of the flaw online to back his claim about the bug.
Moreover, Ahmed claimed that the flaw revealed personal information like users first and last name, gender, email, date of birth, address, subscription information, device capability information for 4G, 3G and GPRS, network information, activation date, user type — prepaid or postpaid, and current IMEI number of the device.
In response to the presence of a bug in its mobile app, an Airtel spokesperson said in a statement that there was a technical issue in one of Airtel’s testing APIs, which was addressed as soon as it was brought to the company’s notice. “Airtel’s digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms,” the spokesperson added.
In India, Airtel trails behind only Vodafone Idea and Reliance Jio in terms of market share. With this security flaw, 325.5 million Airtel subscribers in India were put at risk of a data breach.
This is not the first time when Ahmed has discovered a security flaw in mobile apps. Recently, the cybersecurity researcher took to YouTube to highlight the vulnerability in JustDial’s mobile application. He further published a blog post that one of its internal APIs potentially allowed a hacker to log in to a user account bypassing the phone number verification. Earlier, he has also reported security flaws in platforms of Truecaller, Google, LinkedIn, Twitter, Netflix, among others.
