Latest Tata Sky, Croma Site Vulnerabilities Exposed Sensitive Customer Data of Millions of Customers; Fixed Now

Tata Sky, Croma Site Vulnerabilities Exposed Sensitive Customer Data of Millions of Customers; Fixed Now

Tata Sky and Croma, the entities owned by Tata Group, exposed the data of millions of their customers due to security vulnerabilities, according to a cybersecurity researcher. The issues allowed bad actors to access sensitive data including the full names, phone numbers, addresses, date of birth, and email IDs of both Tata Sky and Croma customers, by leveraging the loopholes existing in the application programme interfaces (APIs) on their websites. Both companies fixed the vulnerabilities after these were reported on the Web.

Cybersecurity researcher Rahil Bhansali discovered the vulnerabilities existed on the Tata Sky and Croma sites. He was able to understand their extent in collaboration with his colleague Ankit Pandey.

Shortly after discovering and finding the scope of the vulnerabilities, Bhansali wrote about them on Medium. The researcher said the vulnerability affecting Tata Sky subscribers existed on its site exposed its subscribers’ data that included their names, gender, date of birth, email IDs, registered mobile numbers and alternative phone numbers, and mailing addresses.

  • 3 Million Affected by Malicious Chrome, Edge Browser Add-Ons: Avast

Apart from the personal information of subscribers, the researcher noted that the vulnerability exposed subscription details including the subscriber ID, subscription date, transaction history since first subscription, and the number of set-top boxes active and inactive by the subscriber.

The researcher mentioned in his Medium post that the data for over 22 million Tata Sky subscribers was accessible through the vulnerability by anyone who knows coding and has the knowledge to work with APIs. It was, however, unclear whether the issue already allowed a bad actor to access user data.

Bhansali was able to understand the flaw after visiting Tata Sky’s website to do a quick recharge by entering his phone number. “To my surprise, it showed me my name, subscriber id, balance and subscription end date without even any form of login,” he wrote.

  • Banking Data of 3 Lakh+ BuyUcoin Cryptocurrency Users Allegedly Leaked

The researcher found the exposure through the vulnerability by running a script of using different phone numbers. Upon understanding the flaw, he spoke with Tata Sky CEO Harit Nagpal to elaborate the problem and that reportedly resulted in the fix.

Bhansali, however, noted that one issue still remained where the subscribers’ name was still accessible for any mobile number.

“I’ve spent time in checking other providers as well like Jio, Vodafone, Airtel — and they’ve all prevented from implementing such user experiences presumably because of similar security risks,” the researcher said.

  • How 80TB of Parler Posts, Videos, and Other Data Was Leaked

A spokesperson from Tata Sky was not immediately available at the time of filing this story to provide a comment on the fix.

Update, 2:46pm:

In addition to the vulnerability existing on the Tata Sky site, Bhansali found a similar issue with the Croma site wherein he was able to find the name, registered mobile number, mailing address, and offline and online transaction history of customers purchasing goods from the retail chain.

  • Telangana Government Exposed Sensitive Data of Its Employees, Pensioners

Ritesh Ghosal, Chief Marketing Officer at Infinity Retail, which operates under the brand Croma, informed Gadgets 360 that the reported issue had been fixed.

“We have reviewed the concerns and detailed findings shared by Mr. Bhansali and have put in place further security measures to add an additional layer of security in place across our systems with immediate effect,” he said in a response over email.

The personal information exposed by vulnerabilities such as the ones found on the Tata Sky and Croma sites could be used to run phishing attacks and target individuals with scam emails and text messages.

“We at Tata Sky are conscious of the privacy of the details of our subscribers and take utmost care to protect it from being exploited by an outsider for their own commercial purpose.

We have proactive monitoring and security measures which make sure that if a single source tries to extract multiple subscriber records, using whatever means, one record at a time or many via a software, automated alerts are generated to prevent a potential data theft attempt.

We have not had any data theft issues in the distant or recent past which could materially impact our customers.

We keep reviewing our policies and data security systems regularly, to stay one step ahead of newer risks which might emerge from time to time.

As a matter of abundant caution we did carry out a special drill to reassure ourselves that our alarms were still working and there is no possibility of a breach of the nature suggested in the blog. ” – Tata Sky Spokesperson

.embed-container { position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden; max-width: 100%; } .embed-container iframe, .embed-container object, .embed-container embed { position: absolute; top: 0; left: 0; width: 100%; height: 100%; }

Leave a Reply

Your email address will not be published.

How to create personalised stickers for Signal

Check How to create personalised stickers for Signal

How to disable ads on Realme smartphones

Check How to disable ads on Realme smartphones