ACT Fibernet Users' Address, Email Could Have Been Revealed by Security Flaw

ACT Fibernet users' home addresses were at risk of being exposed to anyone who had their phone number — and once that was done, even their billing date and amount could have been accessed, according to a security researcher. “If you have an active ACT connection I could query your home address,” security researcher Karan Saini told Gadgets 360. On discovering the security flaw, Saini contacted ACT Fibernet, which has taken steps to resolve the problem, Saini confirmed.

Speaking to Gadgets 360, an ACT Fibernet spokesperson said that the issue was one that had emerged during the latest updates from the company, and it was detected during the rollout itself, and quickly resolved. "Customer security is our number one priority, and we get security audits done every quarter and work with ethical hackers," the spokesperson said. Last month, the company launched its ACT Shield virus protection app, and has taken steps to ensure customer security, the spokesperson added.

Confirming Saini's findings, the spokesperson said that ACT had also discovered the issue at the same time, and that is how it was able to fix it quickly. While it is commendable that ACT took swift action, it has chosen not to inform any customers — because there was no breach of information, the spokesperson claimed. "If there was any breach of information detected then we would inform the users, however in this case that has not happened," the spokesperson said. They added, "We of course take security very seriously, and are in the process of rolling out a bug bounty program in the next 30 to 45 days."

ACT is the third biggest wired broadband provider in India according to data from the Telecom Regulatory Authority of India (TRAI). Among private players, it is only behind Airtel, and particularly in South India, it's one of the most visible network companies.

“While using the ACT Fibernet mobile application, I came across a severe security and privacy flaw which could allow a malicious actor to query the full name, home and work phone number, account number, internal ID, email and home address, connectivity status, as well as other associated information tied to an ACT customer's account,” Saini explained.

In order to carry this out, the attacker only needs to know a victim's phone number. The ACT spokesperson said that this is not publicly known information; however, as many reports show, our phone numbers are widely compromised. This information would then be sent to one of the vulnerable endpoints through an HTTP POST request (a POST request is used to send data to the server — for example, the contents of a form you've filled, so it can send back the relevant information to the user) — that returns the customer's full name and account number.

An attacker with the user's registered mobile number could acquire their account number

Once the account number has been retrieved, the attacker can then send a second request to another page on the ACT website with this information, and the next response will reveal more sensitive information, which includes the full home address line, alternate contact number, email ID, and connectivity status. This is made possible because there was no authorisation check on either page.

Curiously, this is not the first time than a security researcher has brought attention to this kind of problem for ACT. In a blog post from 2017, Abhay Rana wrote about a very similar issue, which was resolved three months after he brought it to the company's attention. Rana's blog contains the details of the flaw, which he found in November 2016, almost four years ago  

After getting the account number, other user details could be retrieved

This is a common issue, notes Moesif co-founder Derric Gilling, writing on the company blog. Moesif customers include Deloitte, Oyo, UPS, and DHL. Gilling noted, “One of the challenges is having a well thought out authentication and authorisation strategy. Authentication involves verifying who the person says he/she is. Authentication does not say this person can access a particular resource. Authorisation involves checking resources that the user is authorised to access or modify via defined roles or claims. For example, the authenticated user is authorised for read access to a database but not allowed to modify it.”

Gadgets 360 has seen the details of this process to verify what Saini found. He confirmed that, ACT responded quickly and resolved the problem, and so customers don't have to worry about this issue anymore.

This is the second time this year that ACT has been found having security issues. In January this year, it was reported that there was a security issue affecting the routers that the company deployed in its customers homes.

This issue, which was also found by Saini, meant that a flaw in the security settings for ACT-issued routers could expose them to the open Internet.

He had found that the routers distributed by the company had been set up allowing remote connections to the routers by default, and if customers did not manually change the device passwords, an attacker could have gained access to the router's management portal, at which point they could snoop on your Internet usage, and steal Internet usernames and passwords.

After the report was published, ACT Fibernet had taken steps to safeguard its users and resolve the security gap. It also launched a round of customer outreach to assist affected customers, the company stated at the time.

Will OnePlus 8 series be able to take on iPhone SE (2020), Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.