Internet service provider Supersonic has fixed a security flaw in its customer status and data usage website that could leak client information.
The usage portal allowed you to look up information about a customer using their account number, username, mobile number, or SIM number.
However, clicking the “Submit” button next to the blank mobile number field resulted in a list of eight customer accounts being returned.
Information from each of the exposed customer accounts that was potentially leaked included their name and cellphone number, as well as account number and username.
As Supersonic account numbers are sequential, a user would also have been able to harvest data about customers in the database with a script. Fortunately, there is no evidence that such an attack to mass harvest customer data took place.
“We have stringent systems and processes in place to detect issues like this and when there is a potential risk, we act on it as an emergency priority,” Supersonic told MyBroadband.
“Supersonic is governed by MTN’s data breach policy and would notify customers of any breach if there was one.”
New Supersonic customer portal
Within three hours of the issue being reported to Supersonic, it had replaced its old status and data usage portal with a more secure version.
It only lets you view your connection status and data usage using the mobile phone number that has been linked to your account.
The new portal also has a basic arithmetic security question to prevent a human from manually trying many different mobile numbers in quick succession.
Screenshots showing the new and previous portals are embedded below.
New Supersonic portal login page
Old Supersonic portal login page
Old Supersonic portal account list (redacted)
This is the account list that appeared if you clicked the “Submit” button next to the mobile number field on the previous page.