Update: On August 23, a day after publishing our report, Tata Play fixed the issue. They have changed the static URL for live chat to a dynamic one which will be unique for every new session preventing anyone to replace and reuse them anymore.
Tata Play (formerly Tata Sky) the leading DTH brand in the country with about 20 million subscribers has a very serious security issue that can even lead to takeover of your account by someone else. We tried to disclose the details to Tata Play team so that they can fix it, but they failed to respond back leaving no option other than going public.
Attempts to reach Tata Play
After discovering the issue and its wide possibility of misuse we immediately contacted customer support to report it, however they could not do anything as their job is only to manage and assist with general Tata Play set-top box and account issues. Then I posted on LinkedIn tagging Tata Play and it’s MD, CEO Mr. Harit Nagpal, but that too was ignored.
What can be exploited?
- Full Customer Name
- Complete Address
- Registered Mobile Number
- Registered Email address
- Account Balance
- Due Date
- Monthly Recharge Amount
- Change RMN to any number
- Change registered email address
- Activate or deactivate any service
- Place request for buying additional connections, upgrade STB or other equipment
Potential Misuse of this vulnerability and why you should be worried
It poses risk to users’ privacy, security, personal details and can cause them financial loss. Attackers may use this Personally Identifiable Information for phishing campaigns and scams. They will have access to everything including your real physical address, phone number, email address and more.
Anyone can easily take over someone’s account by changing their RMN and email address without any kind of verification. Once these details are updated, it’s very simple to login into the Tata Play website or app through OTP and from there the unauthorized person will have access to all data Tata Play keeps about their customers.
The Vulnerability
Tata Play has a Live Chat customer support which is available for all of its customers through their website and mobile app. Due to security reasons, this page can be opened only after putting in OTP sent on the customer’s Registered Mobile Number.
However, we have found that the Live Chat window itself has no security at all. The Chat window uses a fixed format for URL which can be edited and after reloading the page you will be connected with a support agent impersonating as another customer with a different subscriber ID.
The customer agents believe that users have reached that page and initiated chat only after OTP verification so no further verification is required.
Attackers can request almost any detail of that account and they will get it immediately. We were successfully able to know details like the customer’s full name, registered number, email, balance, due date, etc. just from a randomly picked subscriber ID from the internet.
It was shocking to find that we were also able to change the Registered Mobile number and email address of that user. You just need to give a reason why you can’t receive OTP on your current registered number and share the new number which you want to be registered with that account. Tata Play will then process the request and you will have full access to that user’s account within less than 2 minutes.
Details of the issue
Tata Play is using a standard fixed URL for all live chat support which is very easy to decode and can be modified to open without any kind of verification.
https://chat.tataplay.com/tataplaychat/mass.jsp?chatParameter=0000000000:rahul:singh:[email protected]:9999999999::11/10/2022Above is the direct link to initiate a chat with customer service, pretending to be a genuine Tata Play customer. In the URL, “000” (zeros) represents subscriber ID, followed by the account holder’s name, email address, registered mobile number and recharge due date.
You only need to know the subscriber ID and replace ‘000’ with the subscriber ID. The remaining fields are not required to be correct or verified and any random value even ‘ABC’ or ‘123’ works there.
Final words to Tata Play
This is the second security issue in Tata Play discovered within two years. In 2021 as well due to some coding mistakes then Tata Sky inadvertently exposed its customers’ data. One may say that security of subscribers is not a priority for Tata Play.
Being a leading DTH brand in the country and claiming to be first to try new technologies, please give attention to the privacy and security of your customers. If you can’t have a bug Bounty program then at least take security reports seriously.
Engage with people who are trying their best to ethically bring a vulnerability to your notice instead of ignoring them. Have a non-customer-care email that can be used to report such issues or train customer-care executives to escalate these. Millions of people trust and give their personal details to you, it’s your responsibility to protect them.
16 replies
Loading new replies...
Join the full discussion at the DreamDTH Forums →