A security flaw with Cell C’s online portal – aka My Cell C – allowed anyone with an internet connection to view personal information about many of Cell C’s subscribers.
Concerned Cell C subscriber Eugene Eksteen (aka cavedog) alerted MyBroadband that the “My Cell C My Account” portal provided access to personal details about many Cell C numbers by using a generic master password.
The security flaw was tested by MyBroadband using a new Cell C SIM and existing Cell C accounts. All Cell C numbers could be accessed, except those where the user changed their online password.
A wide range of personal information could be accessed through the portal, including account details, banking details, numbers called, PIN and PUK numbers and payment history.
According to Eksteen the vulnerability existed since March 2013, following a system upgrade by Cell C.
Cell C quickly fixes flaw
MyBroadband alerted Cell C to the security flaw on 2 January 2014, and the operator confirmed the vulnerability soon afterwards.
“Cell C can confirm that following a thorough investigation, the security flaw on our online customer portal was identified and resolved,” Cell C said.
Cell C said that they suspect the flaw was the result of recent system maintenance.
“We are pleased to confirm that by mid-afternoon today [3 January 2014], a patch was developed, tested and deployed and the issue is now fully resolved,” said Cell C.
“The security of customer information is of the utmost importance to Cell C and we will be appraising our systems accordingly.”
Cell C thanked MyBroadband and Eksteen for bringing the security flaw to their attention.
* This report first appeared on Mybroadband.co.za and can be viewed here: http://mybroadband.co.za/news/security/94332-big-cell-c-security-flaw-uncovered.html