Operator Vulnerability

Without doing too many turns of words I’ll tell you right away what the problem would be. At the time of writing this article, I noticed a conceptual programming bug of the official application of one of the largest telephone operators in Italy. I do not know if this is a known problem but the customer support that I alerted as soon as I noticed told me that it was not a known thing. They’re going to tell the technical department and keep us informed.

I will not name this telephone operator in this article to avoid damaging it and incurring legal challenges.

In practice it is a conceptual vulnerability that exposes you to a so-called MAN IN THE MIDDLE attack. Such an attack generally allows an attacker to sneak into the middle of a connection with the purpose of executing commands or simply acquire information.

In this particular case, a large part of the information that the app provides is referred to.

How the bug of this app works

Imagine two mobile phones smartphone, the first we will call it ALFA or primary and the second we will call it BETA or secondary. The primary smartphone shares the data connection with the secondary smartphone in hotspot mode. Because, for reasons supposedly due to ease of use and convenience, the official smartphone application of the telephone operator, at the time of writing, also contemplates direct access via ip address belonging to the ip pool assignable by the operator in question (so without entering credentials), the BETA smartphone, that is, the smartphone that hooks up to the shared connection, inheriting the same ip address, running the same application, has access to the same smartphone that shares the connection, which is the ALFA.

Why this could be a problem

Although you normally share the connection to allow one or more people known to us to connect, it is only right that we should know that along with the connection, you are also giving the possibility to access even information that we may not want to share as an ad for example our remaining credit and all the information that is available on the ALFA phone regarding our contract with the telephone operator.

What data is at risk

  • The phone number of the one who is sharing the connection;
  • The pricing plan;
  • Expenses: total, messages, digital services, refills;
  • Access to refills and offers, including any paypal profiles. Ability to order a refill with this data, edit offers, order other offers, cancel the phone offers associated with the card of those who share the connection as if it were your profile;
  • The puk code to unlock the card;
  • Limited access to called numbers. To view the last digits, you need a confirmation via code that arrives via sms.

How to fix it

Currently, the only way to prevent the problem from occurring is to not share your connection. Although it’s true that you generally share your connection with trusted people and enter a password, it’s also true that it shouldn’t, in my humble opinion, be possible to view and edit offers and anything else via an app that authenticates with the ip address.

As I discovered this error

After years of not going on holiday, I decided to take my partner to an Italian island. Although the real estate agency’s website said there is wifi for all apartments, I was forced to share my connection from my mobile phone because you have a plan with a very limited amount of gigabytes. We both have the same telephone operator and therefore we access the information related to promotions and credit through the official application of this operator. I was in the other room when my fiancée called me, clutching her mobile phone in her hand, because on her application it was sixty euros less than the credit she had displayed the day before. In addition, she informed me that there were several active services that she had never requested. We then called the customer support number and a very nice operator informed us that the credit that was on their monitors was different from what we saw in the application. We were told that maybe it could be a temporary malfunction but looking better in the app installed in my partner’s cell phone, I see my phone number. At that point I informed the operator of the thing and we inferred that the motivation is related to the fact that, since authentication also takes place via ip address, there had to be a conceptual problem in the application. To verify that the problem was indeed there and that it was not a case, we did several tests. Before calling customer support, my partner wanted to turn off unsolicited services that she thought had been arbitrarily activated on her card directly from the application. What would have happened if there had been penalties? What would happen if there were malicious or accidental activations of binding services? In the end, he greeted us by making sure that he would open a case to the technical department and that he would inform us of the outcome. I guess a respectable company not too late to solve this problem. But in the meantime, I thought it a good idea to inform you that sharing your phone connection can cause you headaches.

The purpose of this article and to whom it might be useful

I wrote this article to prevent what was going to happen to me. The purpose of this article is to prevent an unintentional leak of confidential information. To know if your carrier’s application is subject to this problem, you just need to test it with two smartphones. Open your carrier’s application in both mobile phones after connecting the second smartphone to the shared connection of the first and if you will see from the application of the second mobile phone the application data present in the first then it means that Your operator’s application is also affected by this issue. In case you want to “save” your friends or acquaintances from particularly embarrassing situations I recommend you share this article with them.

It's possible to leave a comment as registered users to the site, accessing through social, wordpress account or as anonymous users. If you want to leave a comment as an anonymous user you will be notified by email of a possible response only if you enter the email address (optional). The insertion of any data in the comment fields is totally optional. Whoever decides to insert any data accepts the treatment of these last ones for the inherent purposes of the service that is the answer to the comment and the strictly necessary communications.

Leave a Reply