Tata Sky and Croma, the entities owned by Tata Group, exposed the data of millions of their customers due to security vulnerabilities, according to a cybersecurity researcher. The issues allowed bad actors to access sensitive data including the full names, phone numbers, addresses, date of birth, and email IDs of both Tata Sky and Croma customers, by leveraging the loopholes existing in the application programme interfaces (APIs) on their websites. Both companies fixed the vulnerabilities after these were reported on the Web.
Cybersecurity researcher Rahil Bhansali discovered the vulnerabilities existed on the Tata Sky and Croma sites. He was able to understand their extent in collaboration with his colleague Ankit Pandey.
Shortly after discovering and finding the scope of the vulnerabilities, Bhansali wrote about them on Medium. The researcher said the vulnerability affecting Tata Sky subscribers existed on its site exposed its subscribers’ data that included their names, gender, date of birth, email IDs, registered mobile numbers and alternative phone numbers, and mailing addresses.
Apart from the personal information of subscribers, the researcher noted that the vulnerability exposed subscription details including the subscriber ID, subscription date, transaction history since first subscription, and the number of set-top boxes active and inactive by the subscriber.
The researcher mentioned in his Medium post that the data for over 22 million Tata Sky subscribers was accessible through the vulnerability by anyone who knows coding and has the knowledge to work with APIs. It was, however, unclear whether the issue already allowed a bad actor to access user data.
Bhansali was able to understand the flaw after visiting Tata Sky’s website to do a quick recharge by entering his phone number. “To my surprise, it showed me my name, subscriber id, balance and subscription end date without even any form of login,” he wrote.
The researcher found the exposure through the vulnerability by running a script of using different phone numbers. Upon understanding the flaw, he spoke with Tata Sky CEO Harit Nagpal to elaborate the problem and that reportedly resulted in the fix.
Bhansali, however, noted that one issue still remained where the subscribers’ name was still accessible for any mobile number.
“I’ve spent time in checking other providers as well like Jio, Vodafone, Airtel — and they’ve all prevented from implementing such user experiences presumably because of similar security risks,” the researcher said.
A spokesperson from Tata Sky was not immediately available at the time of filing this story to provide a comment on the fix.
Update, 2:46pm: A Tata Sky spokesperson noted: “We have proactive monitoring and security measures which make sure that if a single source tries to extract multiple subscriber records, using whatever means, one record at a time or many via a software, automated alerts are generated to prevent a potential data theft attempt.” You can see the full statement at the bottom of this story.
In addition to the vulnerability existing on the Tata Sky site, Bhansali found a similar issue with the Croma site wherein he was able to find the name, registered mobile number, mailing address, and offline and online transaction history of customers purchasing goods from the retail chain.
Ritesh Ghosal, Chief Marketing Officer at Infinity Retail, which operates under the brand Croma, informed Gadgets 360 that the reported issue had been fixed.
“We have reviewed the concerns and detailed findings shared by Mr. Bhansali and have put in place further security measures to add an additional layer of security in place across our systems with immediate effect,” he said in a response over email.
The personal information exposed by vulnerabilities such as the ones found on the Tata Sky and Croma sites could be used to run phishing attacks and target individuals with scam emails and text messages.
“We at Tata Sky are conscious of the privacy of the details of our subscribers and take utmost care to protect it from being exploited by an outsider for their own commercial purpose.
We have proactive monitoring and security measures which make sure that if a single source tries to extract multiple subscriber records, using whatever means, one record at a time or many via a software, automated alerts are generated to prevent a potential data theft attempt.
We have not had any data theft issues in the distant or recent past which could materially impact our customers.
We keep reviewing our policies and data security systems regularly, to stay one step ahead of newer risks which might emerge from time to time.
As a matter of abundant caution we did carry out a special drill to reassure ourselves that our alarms were still working and there is no possibility of a breach of the nature suggested in the blog. ” – Tata Sky Spokesperson
What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.