ACT Fibernet Could Have Revealed User’s Email ID, Address Due to A Security Flaw

ACT Fibernet security flaw

Just yesterday, we reported that RailYatri’s server were exposed and could have let an intruder access private info of more than 7 lakh users. Security researchers have today reported that a vulnerability in ACT Fibernet’s service could have put the user’s email IDs, home address, and more at risk.

First spotted by security researcher Karan Saini, a security flaw on ACT Fibernet’s end allowed anyone to query an active user’s home address. Saini contacted the Internet service provider on discovering the issues and steps were taken to quickly resolve the problem.

Saini stumbled upon a severe security flaw while using the ACT Fibernet mobile app, which as per his report, would allow “a malicious actor to query the full name, home and work phone number, account number, internal ID, email and home address, connectivity status, as well as other information” associated to your account.

Now, the hacker only needs to know your phone number, which will help a query that returns the customer’s full name and account number. Once the account number has been retrieved, it could be used to query a user’s address, email ID, billing status, and more.

ACT Fibernet confirmed Saini’s findings and revealed that the issue emerged during one of its latest updates. It was discovered during the rollout itself and fixed at hand to avoid the private information of its users from being leaked to malicious actors. The company did patch a security loophole but since it confirmed that there hasn’t been a data breach, it does not plan on disclosing the same to any customers.

“Customer security is our number one priority, and we get security audits done every quarter and work with ethical hackers,” stated the ACT Fibernet spokesperson in an official statement (via Gadgets 360). The company is now actively working to roll out a bug bounty program, where it will award security researchers who discover flaws and loopholes in its services or servers. It plans to kick off the bug bounty program in the next 30 to 45 days.

Comments 0
Leave a Reply