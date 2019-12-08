A security flaw recently discovered in Airtel’s mobile app exposes customer details such as name, address, email address, and IMEI number of the phone to hackers. More than 300 million users of the company are at risk, recent report said.

According to the report, the vulnerability was associated with the Airtel app’s application programming interface (API) and could have been misused by hackers to access the personal data of users by using only their mobile number. That said, the flaw, thankfully, has been fixed after it was brought to Airtel’s attention.

This flaw in the app, which appears to be easy for a hacker with the appropriate technical knowhow to find, was discovered by a Bengaluru based researcher.

The researcher, identified as Ehraz Ahmed, said that the flaw existed in one Airtel’s API that allows hackers to fetch sensitive user information of any Airtel subscriber. The flaw exposes information such as First & Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, User Type [Prepaid/Postpaid] and Current IMEI number of the phone. Ahmed has also published a case study and a proof of concept video in this context.

The flaw exposes the emails of Airtel customers vulnerable to spam and targeted attacks. That said, the researcher assured that the flaw didn’t impact users through Airtel’s website. He further added that it was one of the biggest findings in India so far with more than 325 million users affected.

Airtel, meanwhile, claims to have fixed the flaw. “There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice”, an Airtel spokesperson said while adding that the company’s digital platforms are highly secure and that customer privacy is of paramount importance for the company.

The company, meanwhile, didn’t confirm if there has been an actual breach and whether the data of all customers was secure.