Loading...



Telephone operator application vulnerability

Without saying too much I will immediately explain to you what the problem would be. At the time this article is written, I noticed a conceptual bug in programming the official application of one of the major telephone operators in Italy. I do not know if this is a known problem but the customer support that I have notified as soon as I noticed it told me that it was not a known thing. They will report this to the technical department and keep us informed.

I will not name the name of this telephone operator in this article to avoid damaging it and incurring legal problems.

In practice it is a conceptual vulnerability that exposes to a so-called MAN IN THE MIDDLE attack. This type of attack generally allows an attacker to sneak into a connection for the purpose of executing commands or simply acquiring information.

In this specific case, reference is made to a large part of the information that the app makes available.

How the bug of this application works

Let's imagine two smartphone mobile phones, the first we'll call it ALFA or primary and the second we'll call it BETA or secondary. The primary smartphone shares the data connection with the secondary smartphone in hotspot mode. Since, for reasons presumably attributable to ease of use and comfort, the official smartphone application of the telephone operator, at the time of writing, also contemplates direct access via IP address belonging to the pool of IPs assignable by the operator in question (therefore without entering credentials), the BETA smartphone, or smartphone that hooks up to the shared connection, inheriting the same IP address, running the same application, has access to the same data as the smartphone that shares the connection, or ALPHA. 

Why this could be a problem

Although normally the connection is shared to allow one or more people known to us to connect, it is right that we know that together with the connection, we are also giving the possibility to access also information that we might not want. share such as our remaining credit and all the information that is available on the ALFA phone regarding our contract with the telephone operator.

What data is at risk

How to solve the problem

Currently, the only way to prevent the problem from occurring is precisely that of not sharing your connection. Although it is true that generally you share your connection with trusted people and you enter a password, it is also true that it should not, in my humble opinion, be possible to view and modify the offers and so on through an app that you authentic with the ip address.

How I discovered this error

After years of not going on vacation, I decided to take my partner to an Italian island. Even if on the real estate agency website it was written that there is wifi internet connection for all the apartments, I was forced to share my connection from my cell phone because you have a plan with a very limited amount of gigabytes. We both have the same telephone operator and therefore we access information relating to promotions and credit through the official application of this operator. I was in the other room when my girlfriend called me, holding her phone in her hand, because on her application it was sixty euros less than the credit she had seen the day before. Furthermore, she informed me that there were several active services that she had never requested. We then called the customer support number and a very friendly operator informed us that the credit that appeared on their monitors was different from the one we were viewing in the application. We were told that maybe it could be a temporary malfunction but by looking more closely at the application installed on my partner's phone, I see my phone number. At that point I informed the operator of the thing and we deduced that the motivation is relative to the fact that, since authentication also takes place via IP address, there had to be a conceptual problem in the application. To verify that the problem was really there and that it was not a case, we did several tests. Before calling customer support, my partner wanted to deactivate the unsolicited services she thought were activated arbitrarily on her card directly from the application. What would have happened if there had been penalties? What would happen if there were malicious or accidental activations of binding services? In the end he greeted us by assuring us that he would open a case to the technical department and that he would inform us of the outcome. I imagine that a respectable company will not be long to solve this problem. But in the meantime I thought it a good idea to inform you that sharing the connection with your mobile can cause you headaches.

The purpose of this article and to whom it could be useful

I have written this article to prevent what happened to me from happening to others. The purpose of this article is to avoid that there is an unintended escape of confidential information. To know if the application of your operator is subject to this problem, it is sufficient that you do the test with two smartphones. Open the application of your operator in both mobile phones after connecting the second smartphone to the shared connection of the first and if you see the application data from the second mobile application in the first one then it means that also the application of your operator is affected by this issue. In case you want to "save" your friends or acquaintances from particularly embarrassing situations I recommend you share this article with them.


it | en | zh | es | ar | pt | id | ms | fr | ja | ru | de

// 2019-09-23 - 2019-09-23 // @ignistech #technology #computerscience #computersecurity #applications #smartphone

044.EU | Home | Terms | Privacy | Abuse | Hashtag