What is Airtel?
Bharti Airtel Limited, also known as Airtel, is an Indian global telecommunications services company based in Delhi, India. It operates in 18 countries across South Asia and Africa, and also in the Channel Islands. Airtel provides GSM, 3G, 4G LTE, 4G+ mobile services, fixed line broadband and voice services depending upon the country of operation.
- It is the third largest mobile network operator in India with over 325.5 million subscribers. [ Ref : TRAI – Telecom Subscription Data as on 30th September, 2019 – PAGE 14 ]
- And the second largest mobile network operator in the world with over 411.42 million subscribers. [ Ref : Wikipedia ]
What is the flaw?
The flaw existed in one of their API that allows you to fetch sensitive user information of any Airtel subscriber.
It Revealed information like First & Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, User Type [Prepaid/Postpaid] And Current IMEI number.
- The IMEI number can be used to identify the device of the user.
The Flaw is now fixed & Acknowledged by Airtel.
And the case study, with the video, was published after the story was made public.
“There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice,” an Airtel spokesperson told the BBC.
Why is it Big?
Every user that is on India’s Airtel network was at risk of getting his information leaked through this vulnerability, and risking over 325.5 million subscribers in India.
How do i reproduce the flaw?
For the video demonstration, I have made a script that sends a request to this API and fetches the user information.
Note: In the video & case study, the Information of User Address & API is hidden for security purposes. And the case study was made public, once it was fixed & acknowledged by Airtel.
Your data will be displayed below.....