The Meu Vivo portal, which allows access to information about telephone, TV and internet plans, had a security flaw that exposed customers’ personal information, including full name, address, date of birth, ID, CPF, e-mail and telephone number. cell phone. There are reports that it affected 24 million people, but the operator says the actual number is “considerably less”.
“Vivo informs that, last night, in just under three hours, the company identified and neutralized a vulnerability in accessing the Meu Vivo service portal, with the objective of ensuring privacy and the security of its customers’ information”, explained the company in a statement to Tecnoblog.
Security researchers at the WhiteHat Brasil group tell the Digital Look that managed to capture customer data through the Meu Vivo portal. According to them, the flaw had been on the website for about two weeks. Thus, it was possible to obtain:
- full name;
- mother’s name;
- date of birth;
- complete address (street, number, city, state, zip code);
- type of residence (house, apartment, etc.);
- email address;
- phone number.
Meu Vivo exposed personal data due to token failure
The researchers explain to Twitter that the flaw was in the access token to Meu Vivo. It worked like this: every customer is registered with a unique identification number, regardless of their CPF or RG. After entering your username and password, the system returned a URL with that identification number and an access token – that is, a string of characters that serves as a key to release access.
The problem is that this same token served to access the profile of any client; it was just using the URL with another identification number. The researchers tested sequential numbers between 1,000 and 25 million, and the technique worked “almost continuously”.
According to the researchers, more than 24 million people may have been affected by the failure in Meu Vivo. The operator says, however, that “the number of customers possibly impacted by this illicit action is considerably less than that disclosed by some specialized press agencies”. Vivo does not reveal figures, however.
The LGPD (General Data Protection Law) only starts to take effect in August 2020. It establishes a fine equivalent to 2% of the billing, up to the limit of R $ 50 million, for companies that leak data.
Updated at 17:34