Telefónica Movistar Site Exposed Customer Billing DetailsConsumer Group Says Basic Error Put Millions at Risk
A Spanish consumer rights organization says telecommunications company Telefónica has fixed an elementary security error in its Movistar website that potentially exposed billing invoices for millions of customers.
The consumer organization, Facua.org, called the exposure the "biggest security breach in the history of telecommunications in Spain." The organization reported the flaw to Telefónica on Sunday, and it was fixed by Monday morning, Facua says.
The flaw was within Telefónica's Movistar website and allowed someone viewing an account invoice to increment the invoice number and view someone else's bill.
The data exposed includes names, addresses, email addresses, fixed and mobile numbers and call records, Facua says.
No Fraudulent Use
Efforts to reach Telefónica officals were not immediately successful on Tuesday. But customers did begin asking questions about the incident via Twitter to which Telefónica responded.
"We were notified of a vulnerability that was corrected immediately last night," according to a translation of a tweet from Movistar's Twitter account. "Until now, we have not detected any fraudulent access to customer information."
Hola, soy Ana. Nos avisaron de una vulnerabilidad que se subsanó de forma inmediata ayer por la noche. Hasta este momento, no tenemos detectado ningún acceso fraudulento a la información de los clientes. Saludos.— Movistar España (@movistar_es) July 16, 2018
The type of vulnerability is known as insecure direct object reference, says Troy Hunt, an Australian security expert and creator of the Have I Been Pwned data breach notification service. "It's very well-known, very easily tested for and very easily exploited."
In 2013, the type of vulnerability ranked number four on the 10 most common web application vulnerabilities published by the Open Web Application Security Project (OWASP). Last year, OWASP revamped its top 10 and wrapped insecure direct object reference vulnerabilities into a catch-all category of broken access controls.
Insecure direct object reference flaws allow "attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks," OWASP says.
Biggest GDPR Notification So Far?
Facua says it filed a complaint on Monday with Spain's data protection authority, the Agencia Española de Protección de Datos.
Telefónica's incident comes about two months after the European Union's General Data Protection Regulation went into effect. Organizations that have a breach or exposed data are required to notify regulators and those affected within 72 hours.
Those found in breach of GDRP's rules could face fines up of up to 4 percent of their annual revenue or €20 million ($23 million), whichever is greater. Data protection authorities in member states enforce the regulations.
Facua contends, however, that Spanish law limits the fines that can be levied by the country's data protection authority to between €300,000 and €600,000. Facua calls the limits "absolutely ridiculous."
The fines "are not proportional to the seriousness of the irregularities and the number of people affected, which can amount to tens of millions of users," Facua contends.