Vox Telecom website security flaw exposed subscribers’ personal details

A security flaw in Vox Telecom’s website made it possible for an attacker to collect the personal details of the company’s subscribers.

MyBroadband has seen evidence of the attack, where URL manipulation was used to see a customer’s account ID, account username, and the user’s cellphone number.

The flaw was discovered by a Vox Telecom customer who is also a programmer, who noticed that the URL contained a customerID field.

“Being a programmer I noticed the URL and wondered what would happen if I changed the customer ID,” he said.

Changing the customer ID, shown in the URL below, exposed personal details of Vox Telecom subscribers.

https://portal.vox.co.za/vox/portal/login/forgotpassword.jsp?customerId=XXXXXXXX

After he discovered the flaw he notified a Vox Telecom support engineer, but the employee “wasn’t really interested”.

MyBroadband also alerted Vox Telecom to the security flaw, after which the company was quick to resolve the issue.

Vox Telecom said the issue has now been resolved, and users can no longer view another user’s information by changing the account number in the URL.

The image below shows the subscriber information which was exposed by the Vox Telecom website.

Vox Telecom security flaw

Hat tip to the person who detected the security flaw, and who alerted Vox Telecom.

More on security flaws

Paying your TV licence online? Watch out for this security flaw

The South African government passwords cracked in Anonymous database hack

ANC Government on Anonymous hack list

Latest news

Partner Content

Show comments

Recommended

Share this article
Vox Telecom website security flaw exposed subscribers’ personal details