Two of South Africa’s mobile operators, Vodacom and Cell C have reported security flaws over the past week, exposing subscribers’ personal details including account balances.
MyBroadband alerted Cell C on 2 January 2014, to a security flaw with it’s online portal – aka My Cell C – which allowed anyone with an internet connection to view personal information about many of Cell C’s subscribers.
A Cell C subscriber alerted MyBroadband that the “My Cell C My Account” portal provided access to personal details about many Cell C numbers by using a generic master password.
The security flaw was tested by MyBroadband using a new Cell C SIM and existing Cell C accounts. All Cell C numbers could be accessed, except those where the user changed their online password.
A wide range of personal information could be accessed through the portal, including account details, banking details, numbers called, PIN and PUK numbers and payment history.
Cell C confirmed the vulnerability, adding that it had since been resolved.
The operator said that they suspect the flaw was the result of recent system maintenance.
“We are pleased to confirm that by mid-afternoon today [3 January 2014], a patch was developed, tested and deployed and the issue is now fully resolved,” said Cell C.
“The security of customer information is of the utmost importance to Cell C and we will be appraising our systems accordingly.”
It follows a security flaw in the “My Vodacom” online portal which exposed Vodacom subscribers’ personal details, including account balances, package details, service providers, average monthly spend, the phone used, PUK and PIN details.
The flaw allowed a Vodacom subscriber who is logged into the My Vodacom online portal to enter any Vodacom number and find personal details linked to this number.
Vodacom was alerted to the security flaw on the afternoon of the 26 December and the company launched a “complete investigation”.
It said that the flaw was identified, and a patch was developed overnight.
The patch was tested successfully on the morning of the 27 December and was deployed into production by midday on the same day.
“Only high level account summary information was exposed such as the type of package and the balances. No banking information was compromised nor was it possible to transact on the affected number,” said Vodacom.