Recently, a warning from VSEC stated: “The MobiFone website has a serious vulnerability, leading to the leakage of customers’ private information” (!?).
To clarify the situation and protect consumer rights, we, along with VSEC security expert Phùng Anh Tuấn, visited MobiFone’s headquarters to discuss this issue.
Customer Information Leakage?
Network security expert Phùng Anh Tuấn pointing out
a security flaw in MobiFone’s network at the MobiFone headquarters
The MobiFone website system allows customers to register for an account to manage their phone billing online.
Additionally, customers can use their online accounts to send messages, download logos, images, ringtones, and these charges will be deducted from their usage fees.
The admin system of MobiFone is accessed through http://www.mobifone.com.vn/admin. The system restricts all external IPs from logging in, even if the person has the correct password, and only allows one machine within the LAN network with a fixed IP address access to the system.
However, according to VSEC’s warning, when analyzing the flaw in the website system, hackers can easily access the admin system.
In the admin system of the website, after gaining control over the database, hackers can use the accounts of other customers on the server to send messages while the charges are deducted from that person’s account.
More seriously, the warning states that hackers can automatically create accounts for any phone number belonging to the MobiFone network to control information about that number through the website system, even if the owner of the number has never accessed the MobiFone website.
Moreover, hackers can also access important information of all customers, such as outgoing phone numbers, call durations, etc.
“Hackers Cannot Do That!”
In response to reporters, Mr. Nguyễn Tuấn Huy – Deputy Head of MobiFone’s Billing IT Department, claimed that this admin page can only be accessed from internal machines.
He stated, “Users must hold a phone with a SIM card inside and send messages based on a verification code to register for services, thereby accessing personal information, billing details, and incoming phone numbers.” Mr. Huy asserted, “If there is no device and SIM, hackers cannot activate an account. There are no tools available to create accounts.”
Thus, hackers cannot create accounts of other customers on the server to send messages or use the functions available on the website system.
According to MobiFone’s technical staff, there have been many instances where a wife used her husband’s phone to obtain the password to register for detailed billing services or to send messages. This can easily happen if the phone is left at home.
“Initially, when we launched this service, we received many customer complaints about why money was being deducted from their accounts on the website. Later, it was discovered that they had inadvertently ‘loaned’ their phone to someone else,” said a technical staff member from the billing IT department.
However, in the presence and with the agreement of MobiFone’s billing IT staff, expert Phùng Anh Tuấn demonstrated the technique showing that the web server has vulnerabilities.
According to Phùng Anh Tuấn, this is a flaw in Oracle 9iAS JEE Webserver (9.0.3.0.0) that allows hackers to download any JSP file from the website system, enabling them to analyze and understand the system of www.mobifone.com.vn.
Additionally, this flaw allows hackers to execute commands to query server information to view the directory structure and files on the server. Meanwhile, MobiFone’s IT experts continued to request Phùng Anh Tuấn to demonstrate retrieving information for any phone number on the spot. However, this request was declined.
Explaining the refusal, Phùng Anh Tuấn stated: “This is a legal matter; we are just network security professionals identifying risks and sending warnings for the benefit of millions of subscribers. MobiFone should conduct a comprehensive review of their website system. If MobiFone does not believe us and wants us to prove it, they need to send an official request to VSEC.”
In discussions with reporters, Mr. Nguyễn Tuấn Huy mentioned that immediately after receiving the warning from VSEC, MobiFone mobilized IT and cybersecurity experts to review and implement technical measures to ensure the safety of the website.
Mr. Huy revealed that they had previously detected a hacker disturbance and had taken necessary deterrent measures. He emphasized: “Our house has a lock; any intrusion, whether intended or not, is illegal.”