#BugAlert: SonyLIV flaw risked personal emails, phone numbers of users
What's the story
SonyLIV, the popular over-the-top streaming service operated by Sony Pictures Networks, had a critical security flaw. The bug, tied to an API of the service, risked the personal information of the users of the platform. However, thanks to Bengaluru-based security researcher Ehraz Ahmed, the issue was reported and fixed in time. Here is all you need to know about it.
Issue
Bug in SonyLIV's login API
Just recently, Ahmed, who had also found a serious loophole in Airtel a few weeks back, discovered a vulnerability in the API used by the SonyLIV app and website which lets users log into their accounts. He found that anyone with a little technical know-how could exploit the issue using nothing but the email of a person.
Risk
This risked critical account information of users
Ehraz delved into the matter and figured that a malicious threat actor could exploit this issue and mine a range of information, including a user's name, profile picture, number, and email address. He also said that the exploit of the bug even gave away the account authentication token, which one could use to gain full access to an account well as other SonyLIV APIs.
Quote
Here's what Ahmed said while highlighting the issue's seriousness
"It could cause a massive data breach, and the flaw was a risk to all the registered users as it could leak their sensitive information on the Web," Ahmed told Gadgets360. "The attackers could use the information fetched to even perform social engineering."
Fix
Either way, Sony took note of the matter, issued fix
Ahmed has detailed the bug and its exploit, with a proof-of-concept and a case study on his own website. However, he published these details publicly only after Sony took note of his report submitted via Gadgets360 and issued a patch fixing the API vulnerability, both on the mobile app and website of the service.
Safety
No user information compromised
SonyLIV acknowledged the issue and said that it has been fixed but also emphasized that the bug wasn't exploited by anybody. "A bug that could have affected accounts using social media IDs for logging onto SonyLIV has been identified and removed," a company spokesperson said, adding that "data of all our subscribers remain[s] safe and securely protected."