A security flaw in Vox Telecom’s website made it possible for an attacker to collect the personal details of the company’s subscribers.
MyBroadband has seen evidence of the attack, where URL manipulation was used to see a customer’s account ID, account username, and the user’s cellphone number.
The flaw was discovered by a Vox Telecom customer who is also a programmer, who noticed that the URL contained a customerID field.
“Being a programmer I noticed the URL and wondered what would happen if I changed the customer ID,” he said.
Changing the customer ID, shown in the URL below, exposed personal details of Vox Telecom subscribers.
After he discovered the flaw he notified a Vox Telecom support engineer, but the employee “wasn’t really interested”.
MyBroadband also alerted Vox Telecom to the security flaw, after which the company was quick to resolve the issue.
Vox Telecom said the issue has now been resolved, and users can no longer view another user’s information by changing the account number in the URL.
The image below shows the subscriber information which was exposed by the Vox Telecom website.
Hat tip to the person who detected the security flaw, and who alerted Vox Telecom.