Call records breach let users feel like Movistars (with everyone watching who they're talking to)

Telefonica Spain has inadvertently exposed the personal details of customers of its Movistar division.

Names, addresses, fixed and mobile line numbers, email addresses and the call breakdown of Movistar customers were all exposed because of basic programming errors in Movistar’s online customer portal.

Anyone with a Movistar account could view other users' personal data simply by changing the URL because of a basic enumeration bug¹. Modifying this online account ID referenced in the URL meant a users could then access other users' account data.

FACUA, a Spanish non-profit that specialises in consumer rights protection, held a press conference and went public about the flaw on Monday.

The bug has been resolved at this point, hours after it was reported to Telefonica on Sunday, which is just as well because it was a real howler, as illustrated by the video below.

Youtube Video

Customers of Movistar's landline, broadband, and television service were all at potential risk from the security breach, which came to light after a Movistar user reported it to FACUA.

It's unclear whether or not the security slip-up has actually been exploited by miscreants to harvest users' personal details. El Reg approached Telefonica/Movistar for comment via both email and Twitter but we're yet to hear back. We'll update this story as and when more information comes to hand.

FACUA has reportedly filed a complaint against Telefonica Spain and Telefonica Mobile with the Spanish Agency for Data Protection (AEPD). ®

Bootnote

¹This type of flaw is technically known as a Insecure Direct Object Reference (IDOR), a basic problem on poorly designed web applications that has been known about for many years but still crops up more than occasionally.