wordpress blog stats
Connect with us

Hi, what are you looking for?

Flaw in Airtel app’s API exposed email, address, IMEI of users

Using just subscribers’ mobile numbers, a flaw in Airtel’s mobile app could have been exploited to access subscribers’ sensitive information, including their email, address and device IMEI number, BBC reported. This put the privacy of more than 300 million subscribers in jeopardy. Other information about a subscriber that could have been accessed (ab)using the flaw were users’ name, gender, date of birth, address, subscription information, device capability information for 4G, 3G, GPRS, network information, activation date and user type (prepaid/postpaid). The flaw was discovered by independent security researcher Ehraz Ahmed.

Airtel told BBC that the flaw has since been fixed. When contacted, Airtel sent us the following statement:

“There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice. Since these were testing APIs, we can now confirm that no data related to our customers has been impacted. Airtel’s digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms.”

Ahmed told MediaNama, “I usually look for high-risk vulnerabilities in applications that store vast amounts of data, Luckily, I found this in Airtel, and got it fixed before it being exploited.” However, he told us that he wasn’t entirely sure if the flaw had indeed not been exploited before he discovered it, and said that it took him 15 minutes to find the flaw. He discovered the flaw on November 29, and the BBC reported on it on December 7. This means that the flaw was present in the Airtel app for more than a week.

This incident comes at a time when India still doesn’t have a privacy law. India’s Personal Data Protection Bill, 2019, which got the Union Cabinet approval on December 4, is yet to be tabled in Parliament.

In November, a flaw in the API of caller-ID app Truecaller, allowed hackers to use malicious links to harvest IP addresses, physical location, and other data of users by attacking them using brute force and distributed denial of service (DDoS). Before that, in July, a “bug” in the Truecaller app started registering users to the app’s UPI platform without them necessarily consenting to it.

Advertisement. Scroll to continue reading.

*Update: This post was updated with Airtel’s response to our queries, and with the date on which Ahmed discovered the flaw. The previous version of this story has been archived here.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ