Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Call records breach let users feel like Movistars (with everyone watching who they're talking to)

Enumeration bug potentially allowed users to peek at each others' details

Telefonica Spain has inadvertently exposed the personal details of customers of its Movistar division.

Names, addresses, fixed and mobile line numbers, email addresses and the call breakdown of Movistar customers were all exposed because of basic programming errors in Movistar’s online customer portal.

Anyone with a Movistar account could view other users' personal data simply by changing the URL because of a basic enumeration bug1. Modifying this online account ID referenced in the URL meant a users could then access other users' account data.

FACUA, a Spanish non-profit that specialises in consumer rights protection, held a press conference and went public about the flaw on Monday.

The bug has been resolved at this point, hours after it was reported to Telefonica on Sunday, which is just as well because it was a real howler, as illustrated by the video below.

Youtube Video

Customers of Movistar's landline, broadband, and television service were all at potential risk from the security breach, which came to light after a Movistar user reported it to FACUA.

It's unclear whether or not the security slip-up has actually been exploited by miscreants to harvest users' personal details. El Reg approached Telefonica/Movistar for comment via both email and Twitter but we're yet to hear back. We'll update this story as and when more information comes to hand.

FACUA has reportedly filed a complaint against Telefonica Spain and Telefonica Mobile with the Spanish Agency for Data Protection (AEPD). ®

Bootnote

1This type of flaw is technically known as a Insecure Direct Object Reference (IDOR), a basic problem on poorly designed web applications that has been known about for many years but still crops up more than occasionally.

 

Similar topics

TIP US OFF

Send us news


Other stories you might like