Can MobiFone customers reveal personal information?

Recently, a warning of VSEC said: " MobiFone's website is having a serious flaw, leading to the situation of leaked confidential information of customers " (!?).

To know the real damage to protect consumers' interests, we have joined VSEC security expert Phung Anh Tuan to come directly to MobiFone headquarters to exchange this issue.

Customer information leaked?

Picture 1 of Can MobiFone customers reveal personal information?
Network security expert Phung Anh Tuan is pointing out
a security error of MobiFone network at MobiFone headquarters

MobiFone website system allows customers of this network to register their account via the website to manage their phone account.

In addition, customers can use online accounts to text, download logos, images, ringtones and money will be charged to customers' usage charges.

The admin system (admin) of MobiFone is accessed via http://www.mobifone.com.vn/admin . The system prohibits all external IPs from logging in , even if the person has the correct password (password) only allows one computer inside the LAN system to have a fixed IP address to access the system .

However, according to VSEC's warning, when analyzing the error of the website system, hackers can access the admin system easily .

In the admin system of the website, after controlling the database system, hackers can use the accounts of other customers on the server to text, while the money is deducted from that person's account.

More seriously, according to the warning, hackers can automatically create an account of any phone number of MobiFone network to control the information of that phone number through the website system even if the owner of the phone number has never been Access to MobiFone website.

In addition, hackers can control important information of all customers, such as call phone numbers, talk time, etc.

'Hackers can't do that!'

Responding to the reporter, Mr. Nguyen Tuan Huy - Deputy Head of MobiFone's charged computing department said that this admin page can only be accessed by internal computer.

Because the user must hold a phone with a sim inside, send a message based on the message to enter the authentication code can register for the service, from which can get personal information, charges and phone numbers to call Mr. Huy said - ' If there is no machine and sim, the hacker cannot activate the account. There are no tools to create an accout . '

Accordingly, hackers cannot create accounts of other customers on the server to perform messaging or use functions available on the website system.

According to the technical staff of MobiFone, there have been many cases where the wife took her husband's phone and then took the password to register the service to view the details or to text. This is entirely possible if the subscriber leaves the phone at home.

' At the beginning of this service, we received a lot of information that customers complained about why the account was charged on the website. It was later discovered that they were accidentally "borrowed" by the phone "- said a computer technician in charge of the Computer Department.

However, with the witness and agreement of the staff of Computer Informatics, MobiFone, expert Phung Anh Tuan showed the technique to show that the web server has holes.

According to Phung Anh Tuan, this is an error of Oracle 9iAS JEE Webserver (9.0.3.0.0) that allows hackers to download any JSP file on the website system, helping hackers to research and understand the website system. www.mobifone.com.vn.

In addition, this error also allows hackers to execute commands to query server information to see the directory structure and files on the server. Meanwhile, Informatics experts of MobiFone still request Phung Anh Tuan to continue to show the information of any phone in place. But the request was rejected.

Explaining this refusal, Phung Anh Tuan said: ' This is a legal issue, we are only people who do network security, detect risks and send warnings for the benefit of millions. subscriber. MobiFone should review its entire website. If Mobifone does not believe and wants us to prove it, they need a written request to VSEC '.

Talking to reporters, Mr. Nguyen Tuan Huy said, right after receiving the warning of VSEC, MobiFone mobilized IT and network security experts to review and implement technical measures to ensure security. Full for the website.

Mr. Huy revealed that they had previously discovered a hacker who harassed and applied necessary deterrent measures. Mr. Huy emphasized: ' Our house has a lock, all acts of intrusion whether good or not are illegal '.