News reports that a hacker compromised Airtel, a major mobile service provider and stole call records of VVIPs is causing ripples in the media. At the cooler today, this was the topic of discussion as the "attack" happened in our backyard. The Times of India reported that Ankit Srivastava, a Ph.D student breached the customer service website of Airtel, one of India's largest cell phone companies. He stole the call records - who had called whom - of several important folks, including the police commissioner of Delhi. In one version, he blackmailed Airtel Rs 1 Cr (~ $250,000) for keeping silent. The company filed a complaint and he's in police custody now. Discussions at the cooler, though, focused on how he gained the call records. According to Times of India:
The service allows customers to get their call details by entering their number and an email ID. Simply by doing this, he (Ankit) would receive the call details on the email id entered by him. He first got his mobile record and then those of his friends. He then entered the mobile numbers of top cops and the service provider promptly provided him the records.
Airtel lets logged in users receive their billing statement over email. Users have the option of specifying the email id to send the statement to. Here's Balaji's theory: when the site lets users specify the email id, they probably send the phone number as a hidden variable, under the hood. If the server does not verify that the mobile number belongs to the logged in session id, then it's trivial to intercept the request and modify the mobile number to that of another user. What's the safest way to do this? Receive only the email id in the request, and lookup the mobile number from the database or a local session object, based on the session id. The Quiz in the upcoming issue of Palisade is based on this :)