1-866-PLYNT-24
|
Breach at Airtel
News reports that a hacker compromised Airtel, a major mobile service provider and stole call records of VVIPs is causing ripples in the media. At the cooler today, this was the topic of discussion as the “attack” happened in our backyard.
The Times of India reported that Ankit Srivastava, a Ph.D student breached the customer service website of Airtel, one of India’s largest cell phone companies. He stole the call records - who had called whom - of several important folks, including the police commissioner of Delhi. In one version, he blackmailed Airtel Rs 1 Cr (~ $250,000) for keeping silent. The company filed a complaint and he’s in police custody now.
Discussions at the cooler, though, focused on how he gained the call records. According to Times of India:
The service allows customers to get their call details by entering their number and an email ID. Simply by doing this, he (Ankit) would receive the call details on the email id entered by him. He first got his mobile record and then those of his friends. He then entered the mobile numbers of top cops and the service provider promptly provided him the records.
Airtel lets logged in users receive their billing statement over email. Users have the option of specifying the email id to send the statement to. Here’s Balaji’s theory: when the site lets users specify the email id, they probably send the phone number as a hidden variable, under the hood. If the server does not verify that the mobile number belongs to the logged in session id, then it’s trivial to intercept the request and modify the mobile number to that of another user.
What’s the safest way to do this? Receive only the email id in the request, and lookup the mobile number from the database or a local session object, based on the session id. The Quiz in the upcoming issue of Palisade is based on this :)
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
Monthly Archives
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
Syndication
You can read full entries of Palisade Blog using an RSS reader. Use this link —
Modifying the mobile number, while using the attacker's own email id - that reminds me of the Password Reset vulnerability in some applications where the application sent the new password to the user's mail id. To simplify things, they passed the email id as a hidden variable when the user confirmed the reset request.
Now, all that an adversary had to do was request a reset on behalf of another user, then intercept the confirmation and change the user id to his own. The new password would be sent to the adversary, and the original user have no clue what happened.