CyberX9's cyber security research team discovered multiple critical security vulnerabilities in Vodafone Idea ("Vi") due to which Vi exposed customer’s sensitive and confidential personal data including call logs of nearly 301 million customers to the whole internet. This also includes all (~20 million) postpaid Vi customers. Vi left one of the main discovered vulnerability open for cyber attacks for the last ~2 years. Vi was vulnerable since last ~2 years to one of the main discovered vulnerability but Vi only fixed the data expose only after we discovered and responsibly reported it now.
Vodafone Idea had put millions of its customers data (call logs, etc.) at absolute risk and absolutely damaged their privacy of private lives due to Vodafone Idea’s carelessness towards security of customer data. Exploitation of these vulnerabilities was very easily possible on a large scale by a malicious attacker.
[.c-script-wrapper-2][.c-box-script-2]The information of Vi customers being exposed due to these vulnerabilities includes but not limited to, [.c-text-bg-red]all call records[.c-text-bg-red] (date/time, other phone number talked to, and duration), [.c-text-bg-red] all SMS records[.c-text-bg-red], [.c-text-bg-red] internet usage details [.c-text-bg-red], [.c-text-bg-red] location details [.c-text-bg-red], [.c-text-bg-red]full name[.c-text-bg-red], [.c-text-bg-red]Vi phone number[.c-text-bg-red], [.c-text-bg-red]residential address[.c-text-bg-red], [.c-text-bg-red]alternate contact number[.c-text-bg-red], [.c-text-bg-red]bill payment transaction details[.c-text-bg-red], plan details, bill details of many months, credit limit, and so on. [.c-box-script-2][.c-script_bottom-star][.c-script_bottom-star][.c-script_top-star][.c-script_top-star][.c-script-wrapper-2]
All of these discovered vulnerabilities were possible to be used for large scale automated exfiltration of sensitive and confidential user data without any restrictions by Vodafone Idea’s systems.
We responsibly and in good faith reported the findings to Vodafone Idea within few hours of vulnerabilities being discovered and confirmed by our team. Our team worked tirelessly, in order to get the detailed report delivered to Vodafone Idea so that they can fix these critical vulnerabilities without any delay and secure the sensitive data affecting millions of Indian. Vodafone Idea didn't fixed the vulnerabilities for multiple days even after getting our report.
The discovered vulnerabilities were extremely easy to discover and exploit by anyone with good computer knowledge. The vulnerabilities discovered were improper authorization and IDOR vulnerabilities, leading to exposing the massive amount of sensitive data to the whole internet. There was no need to break any type of authentication on Vi's systems as part of the vulnerabilities discovered in order to expose such data but rather just sequentially going up and down in a range of numbers as input to get data of millions of customers through API requests. There is high potential that these vulnerabilities were used in this ~2 year timeframe by malicious hackers to steal all the data.
Our team tested Vi's security posture since some of our team members are also Vi's customers.
The information exposed by Vodafone Idea of millions of it’s customers (including ~20 million postpaid customers), includes but not limited to:
[.c-text-star][.c-text-star]- Vi customers call records. Includes following details every call made:
- call date and time
- contacted phone number
- call duration
- location from where the call was done (roaming state)
[.c-text-star][.c-text-star]- Vi customers full name
[.c-text-star][.c-text-star]- Vi customers phone/mobile number
[.c-text-star][.c-text-star]- Vi customers complete residential address
[.c-text-star][.c-text-star]- Vi customers alternate contact number
[.c-text-star][.c-text-star]- Vi customers family members details
[.c-text-star][.c-text-star]- Vi customers SMS records. Includes following details for every SMS made:
- SMS date and time
- contacted phone number
[.c-text-star][.c-text-star]- Vi customers mobile internet usage details, includes, data consumed on any given day
[.c-text-star][.c-text-star]- Vi customers value added services details
[.c-text-star][.c-text-star]- Vi customers bill payment transaction details
[.c-text-star][.c-text-star]- Vi customers plan details
[.c-text-star][.c-text-star]- Vi customers credit limit
[.c-text-star][.c-text-star]- Vi customers bill details for many last months
[.c-text-star][.c-text-star]- Vi customers bill copies, and so on.
These vulnerabilities pose a massive impact to security and privacy of, nearly 301 million Vi customers and will expose people to different types of threats, some of people affected can be secret government employees or high-net worth individuals or anyone under threat of some sort. This would permanently damage millions of Vodafone Idea customers privacy and security. Vi being, generally considered a trusted telecom operator, is also used by many sensitive people like politicians, senior government officials, judges, business tycoons, and similar people – and this massive data expose affects all of them too.
This puts the millions of Vi customers at extreme risk of different types of critical attacks.
Vi claims to have high standards of data and systems security, and these findings strongly proves that claim a false statement. The state of security of sensitive personal data including call logs of millions of its customers and overall cyber security posture is visibly extremely horrible at Vodafone Idea.
This was a case of sheer negligence by Vodafone Idea in securing sensitive millions of customers personal data. The vulnerabilities discovered weren't highly complex for our team to discover. So does any malicious attacker who could’ve discovered it too in the last ~two years time period, could've stolen all the data. We strongly suspect that the data might’ve already been stolen by malicious attackers. There is a need for a fair security audit of Vodafone Idea by the government.
[.c-box-wrapper][.c-box]“committed to protecting the personal data that you provide to us and has an established record of integrating secure practices. VIL is certified in ISO 27001:2013 which validates that VIL has an appropriate Information Security Management System in place.” — Vodafone Idea claims on their website[.c-box][.c-box-wrapper]
[.c-box-wrapper][.c-box]Doesn't bother to fix critical security vulnerabilities for at least the last ~2 years and exposed millions of customers personal data including call logs, and only stopped the data expose after CyberX9 discovered and reported to Vi— truth, in reality [.c-box][.c-box-wrapper]
The nature of the vulnerabilities here indicates extreme negligence in handling sensitive personal data of millions of people. And that is not something we expect from one of the major Indian telecom operator. Vi clearly do not stand on what they promise about the security and confidentiality of customer data.
Vodafone Idea also claims to be ISO/IEC 27001:2013 certified company. Vodafone Idea have in fact even violated ISO/IEC 27001:2013 due to these multiple easily discoverable and exploitable vulnerabilities and also them being unpatched for so long. ISO/IEC 27001:2013 requires a certified organization for "timely identification of vulnerabilities" and remediation of the vulnerability. Vodafone Idea failed to identify these easy to find and exploit vulnerabilities for so long. Vodafone Idea is clearly in breach of the ISO/IEC 27001:2013.
The vulnerabilities are extremally critical due to their massive impact, but the nature of vulnerability found here also indicates horrible security practices at Vi. That’s why, from our vast experience in the security field, our researchers strongly suspect there might be more such critical security issues in Vi— potentially resulting in much more critical impact to the lives of millions of Vi customers.
The impact of these vulnerabilities was extremely critical and huge since due to them, Vodafone Idea, exposed very sensitive and confidential call logs and other personal data of nearly 301 million customers including all postapaid customers of Vi.
These vulnerabilities could've or might've already been easily used by malicious attackers to steal millions of customers sensitive data and maliciously use it, resulting in things like identity theft, extortion, threats, national security threats, along with being able to get data of millions of customers. There are immeasurable number of ways in which the level of data being exposed by Vodafone Idea can be used by malicious attackers to permanently harm the lives of millions of Vodafone Idea customers and Indian national security.
The exposed extremely sensitive personal data which is usually goldmine of information needed for many malicious attacks against millions of people. Though there is an indefinite number of possible malicious use cases for such highly sensitive data of millions of people, below are few to give people an idea.
[.c-h1]⠀1.⠀[.c-h1] Malicious people could use such data to harass and harm people based on their call logs and other exposed details.
[.c-h1]⠀2.⠀[.c-h1] Malicious people could use such data for identity theft of Vodafone Idea customers. As part of identity theft they can potentially, open bank accounts for fraud purposes, take loans, and similar using this exposed data in the names of Vodafone Idea's customers.
[.c-h1]⠀3.⠀[.c-h1] The information exposed by Vodafone Idea could be a virtual gold mine also for phishers and scammers involved:
“Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication.” — SearchSecurity
[.c-h1]3.1.[.c-h1] in so-called Business Email Compromise (BEC) scams, which often impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.
[.c-h1]3.2.[.c-h1] in scams, extortion calls to filtered individuals based on their financials from this exposed data.
[.c-h1]3.3.[.c-h1] in scam calls pretending to be from the victim's bank or Income Tax Department or some other institution and getting the victims to trust by telling them their sensitive personal and financial details being exposed from this vulnerability.
[.c-h1]3.4.[.c-h1] in income tax refund scams.
Armed with such access to Vodafone Idea's exposed data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use.
[.c-h1]4.[.c-h1] Such sensitive and confidential data expose pose a massive impact to security and privacy of millions of people and will expose people to different types of threats, some of people affected can be secret government employees, defense personal, politicians, senior government officials, business tycoons, high-net worth individuals or anyone under threat of some sort. This would permanently damage millions of Vodafone Idea users privacy and security.
[.c-h1]5.[.c-h1] People commonly use the type of information been exposed here as their passwords and security questions to services. That’s why it can also lead to people’s social media, emails, and other accounts being hacked by malicious attackers using their information from this expose.
[.c-h1]6.[.c-h1] Such sensitive personal data expose of massive numbers of people easily leads to things like financial fraud, identity theft, and exposing people to things like extortion, targeted attacks against people, etc. The type of data being exposed is also used for secret questions for multiple services like net banking and verification for different things.
For years, governments have been imposing hefty fines on companies for exposing and leaking customer data worldwide. Under the GDPR law of the European Union, even when a company clearly didn’t take reasonable security steps to secure sensitive data, the companies got hefty fines.
Some prominent past incidents of such fines:
[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organizational measures to ensure information security (similar to Vodafone Idea). You can see other fines made under GDPR privacy law for cyber security negligence here.
We responsibly and in good faith reported the findings to Vodafone Idea within few hours of vulnerabilities being discovered and confirmed by our team. Our team worked tirelessly on weekend of 21st August 2022, in order to get the detailed report sent to Vodafone Idea so they can fix these critical vulnerabilities without any delay and secure the sensitive data affecting millions of people and national security. We emailed our detailed report in early morning on, 21st August 2022, to Vodafone Idea's executive team including Vodafone Idea's CEO. The report was of almost 16 pages and contained all details ranging from technical details of all vulnerabilities to their impact.
[.c-box-wrapper][.c-box]What could’ve taken a maximum of 1 hour, took around 5 days for Vodafone Idea after our alert to secure their systems to stop the exposure of sensitive data of ~301 million customers[.c-box][.c-box-wrapper]
Vodafone Idea exposed sensitive data of ~301 million customers to the whole internet for at least the last two years. Doesn’t fix the vulnerabilities even after our alert. Keeps the sensitive personal data including call logs being exposed and put ~301 million people at risk even after being alerted.
Our team confirmed the vulnerabilities to not being exploitable on 25th August 2022. Vi never confirmed to us that when they will fix the vulnerabilities.
Along with our report to Vodafone Idea, we also requested to let us know a timeline of till when Vodafone Idea plans to fix the vulnerabilities. But we never received such timeline from them even after multiple requests to Vi. This was extremely surprising to us, considering when a company is exposing sensitive and confidential data of millions of its customers and also affecting national security of India. Vodafone Idea's horrible "no action" strategy for security of customer data and protecting the confidential data speaks a lot about their ethics and security posture.
Despite several reminders Vodafone Idea didn't inform us when they would fix these critical vulnerabilities exposing data of millions of people but rather just dragging it on left us with no option except to contact CERT-In and NCIIPC on 24th August 2022. We shared the same detailed report that we shared with Vodafone Idea detailing all the vulnerabilities with CERT-In and NCIIPC. We also notified TRAI and other regulatory and nodal agencies of India.
Below is our overview timelines of communication with Vodafone Idea, CERT-In and NCIIPC.
22nd August 2022, at ~3am: Our team confirmed the vulnerabilities and shared our detailed report (CYX-486523) of 16 pages containing detailed findings, summary, background, impact, and analysis with Vodafone Idea’s top management including CEO and CTO
22nd August 2022, at ~9pm: Vi CISO replied thanking us for our report and mentioned that their team is still analysing the issues which was strange and extremely sluggish since they were still after 19 hours of receiving our report were exposing the data to the whole internet.
– We kept requesting Vi to fix the vulnerabilities at the earliest.
24th August 2022: Reported to CERT-In and NCIIPC in order to escalate this after no confirmation from Vodafone Idea even after almost 3 days for fixing the vulnerabilities.:
24th August 2022: Vodafone Idea acknowledged the vulnerabilities detailed in our report, CYX-486523. But still Vi didn't confirmed if the vulnerabilities have been fixed or not.
25th August 2022: CERT-In and NCIIPC both replied thanking us for our work and that they've escalated this.
25th August 2022: CyberX9 team confirmed the vulnerabilities are no longer exploitable.
There is an urgent and important need for an independent and fair security audit of Vodafone Idea ordered by the Government of India.
It’s a big issue if the nation’s major telecom providers have such a poor cyber security posture and handles sensitive customer data including call logs with such negligence.
There is high possibility that malicious attackers might’ve already exploited these vulnerabilities in Vi since it is a widely exploited type of vulnerabilities and Vi have been vulnerable to one of the main discovered vulnerability for the last ~2 years. The attackers might've stolen a big amount sensitive data.
Vi's should have restrictions imposed to protect further from harm to national security and privacy of Indians, until a through investigation by a government agency is done.
We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should get regular security testing of their applications done by experienced and skilled cyber security service providers to avoid such security vulnerabilities. Especially organizations, which handles massive amounts of sensitive and confidential data of millions of people, should have continuous security testing of their applications done by skilled cyber security service providers.
Policybazaar, a major Indian insurance aggregator funded by a Chinese, exposed sensitive and confidential personal, health, and financial data of around 56.4 million of its customers including defense personnels and potentially compromises national security
Punjab National Bank — India's top public bank — kept severely compromising the security of funds, personal and financial information of over 180 million (all) of it’s customers for ~7 months
Once again, India's top securities depository — CDSL — exposed sensitive data of ~43.9 million investors to the whole internet
India's top securities depository — CDSL — exposed sensitive data of ~43.9 million investors to the whole internet
Subscribe to our newsletter to get our upcoming findings in your inbox!
[.c-button-modal]Subscribe now![.c-button-modal]
Press: for any questions relating to this finding, feel free to contact us at press@cyberx9.com
We won't spam you but only send content you'll like and you can unsubscribe anytime.