Security researcher Prashant Uniyal claims to have identified vulnerabilities on the websites of three major Indian mobile operators: state-owned Bharat Sanchar Nigam Limited (BSNL), Tata Communications and Idea Cellular.
The expert contacted the companies to let them know of the existence of the flaws in their websites some time ago, but since none of them responded, he decided to make his finding public.
According to Uniyal, the sites of Idea Cellular and Tata Communications are plagued by persistent cross-site scripting (XSS) vulnerabilities. The bug identified on the website of BSNL is similar, but non-persistent.
“What amused me was to see that these websites even have online payment options for customers,” the expert told us via email.
“Leaving such top and easily noticeable threats on a website will help malicious attackers compromise the security of users by performing various javascript based attacks, phishing and drive by download attacks. Ajax keylogging gets easy by leveraging such vulnerabilities.”
The researcher has provided Softpedia with the details of the vulnerabilities, but since none of them has been fixed, we will not be making the information public at this time. However, here are some redacted screenshots that demonstrate the existence of the flaws.