Bharat Sanchar Nigam Limited (BSNL), the Indian state-owned telecommunications company is neither known for it's quality of service nor for customer satisfaction. To make their services more user-friendly they started allowing quick online recharge facility from their website, but this service has a data privacy loophole where anybody can check any BSNL subscribers prepaid balance with expiry date. While this may not sound a big security risk the data exposed can be used to device social-engineering phishing attacks, for example - a malicious hacker can fetch this data and utilize it for calling the subscriber as an BSNL employee supplying this information to gain trust of the consumer and asking them to order a highly subsidized online recharge from a fake website.
All one needs to do is to visit the portal at https://portal.bsnl.in/rc3/aspxfiles/instarecharge.aspx and enter any BSNL mobile number twice with a fake email id and go ahead with picking a recharge value. You don't need to complete the recharge, just pick any recharge value and submit, you will be shown the account status of the subscriber at the "Proceed For Payment" screen as shown above.
Comments
Even there is for hathway,i
Even there is for hathway,i knew the loop holes
True you can check any number
True you can check any number !!
Its not loophole but service
I think its not a Loophole but service feature for subscriber...
Bsnl has made this feature for subscriber to know about his current Balance and Validity before he proceed for Recharge so that subscriber can be aware with all the details.......I think its in the interest of Subscriber....
Yes
Yes, but letting users see anybody's balance is something which is not a good practice and can be used to do hacking attacks via social-engineering.
Extend your BSNL Mobile
Extend your BSNL Mobile validity online using this tutorial.
Add new comment