Cybersecurity researchers have uncovered multiple critical vulnerabilities in a major telecom network that exposed 3,000 companies to potential unauthorized access. The security flaws, discovered by researchers Abdulaziz and Omar, affected backend APIs, authentication systems, and Know Your Customer (KYC) processes. The discovery comes amid growing concerns about telecom security, following several high-profile data breaches in the industry.
The investigation revealed several significant security gaps, including a backend API path traversal vulnerability that allowed access to internal systems. While initial attempts were blocked by a Web Application Firewall, researchers identified an alternative production domain lacking such protections, enabling access to internal APIs and microservices. The vulnerability raises particular concerns as telecom providers increasingly deploy network APIs for enhanced services and security measures.
Through a vulnerable endpoint labeled ‘/application.wadl’, researchers accessed internal documentation of payment system microservices, which exposed sensitive employee information including personally identifiable information (PII) and biometric data. Customer invoices were also accessible through mobile numbers. The exposure of biometric data raises significant concerns as countries like Thailand and India move toward mandatory biometric authentication for SIM cards.
The researchers gained access to a super admin panel by analyzing JavaScript files and employing brute-force attacks with custom wordlists. The access granted control over the telecom company’s operations and its 3,000 subsidiaries, including the ability to modify passwords and national IDs.
The investigation also revealed weaknesses in the KYC verification process. While frontend APIs maintained strict KYC checks, backend APIs lacked equivalent security measures. The vulnerability potentially enabled unauthorized phone number transfers and SIM swap attacks, which could compromise SMS-based two-factor authentication systems. Such attacks have become increasingly prevalent, with the FBI reporting $48 million in losses to SIM swapping in 2023 alone.
Analysis indicated that the security issues stemmed from inadequate API security practices, with authentication and authorization checks implemented only at the frontend level. The system also lacked proper logging, monitoring, and rate-limiting measures. These findings support recent FBI and CISA guidelines advocating for stronger authentication methods beyond traditional SMS-based systems.
“Nobody is trained on the whole idea of: you have an inbound call from someone who’s your IT support, you just had an IT problem, and you may have already put in a trouble ticket for IT. How do you assure that the person who’s calling you on your internal communications system is in fact your IT person?” said Sean Gallagher, principal threat researcher at Sophos. He emphasized the need for employee familiarity with IT help desk procedures and the importance of examining configurations and default settings to prevent such vulnerabilities.
Sources: Cybersecurity News, Security Affairs, LA-Cyber.com, Cyber Scoop
Follow Us