THE sure had a security problem on the Minha Claro Residencial website, which allows you to view pay TV and fixed broadband services provided by NET. Using the same access token, it was possible to search other customers’ records, revealing their CPF, address and cell phone number. The operator says the fault has been corrected. At the beginning of the month, the Meu Vivo portal had a similar loophole.
WhiteHat Brasil researchers explain to Twitter that it was possible to use a modified URL to consult the profile of 8 million customers and former customers of Claro, including address, telephone number, date of birth, CPF, mother’s name and number of dependents.
The Minha Claro Residencial website asks for a login and password to grant access. That done, the browser receives a URL with two important data: a number that corresponds to your registration with Claro; and a token, a string of characters that should be unique.
The problem: this token not it was unique. The researchers were able to use it to access the profile of other users, simply by changing the registration number. Then, they created a website to demonstrate the security breach, displaying data from current and former customers, who have already canceled the service.
The failure was present until last Thursday (14). The operator says in a statement that “it quickly identified and corrected, on November 14, the eventual vulnerability in the Minha Claro Residencial application and no damage was identified to customers”.
Meu Vivo allowed access to data of other customers
In early November, a similar flaw was found in the Meu Vivo portal: it was possible to view the profile of several customers by reusing an access token in the URL. Data such as full name, RG, CPF, address, e-mail and telephone number were exposed. Vivo corrected the problem.
The LGPD (General Data Protection Law) only comes into force next year, in August 2020. It will not apply to leaks that occurred before that date.