UAE telecoms company swoops in to rectify security loophole

The company scrambled to close the flaw after it was flagged by a member of the public on the social networking site Twitter.

A screen grab of the du website which previously revealed customers' email addresses when they clicked on the 'forgotten password' option. The company has since rectified the problem. The National
Powered by automated translation

Telecoms company du yesterday closed a security loophole on its website that made its customers' email addresses available to members of the public.

The company was forced to make the security adjustment after the flaw was uncovered by a member of the public on Twitter.

The discovery occurred on the same day du announced it was launching a new range of security measures to protect its customers “key information”.

Du’s “selfcare” login screen had included an option for customers who had forgotten their password to obtain a new one. Such customers were then prompted to enter their mobile phone number and when they did so an automated message appeared on screen confirming the email address associated with that number.

However the loophole raised fears that fraudsters would be able to target specific phone numbers and find out the corresponding email address – as well as, in many cases, their first and last names which often feature on the email address.

One customer, Ramy Bayyour, flagged up the issue to the company on Twitter.

Mr Bayyour wanted to pay his phone bill online, but had forgotten his selfcare password. When he entered his number and his personal email address was displayed, alarm bells started ringing.

“I thought it was strange as most websites would either tell you that they would send an email to the address you have registered with or would maybe display the first few letters, but not the entire address,” he said. “I thought it might be something related to my account only, but then tried random numbers and numbers of people I know and same thing happened.

Email addresses associated with their selfcare accounts popped up.

“I was appalled,” he said.

Following a number of concerned messages to the company yesterday and requests from The National for comment, the loophole was closed.

The website now reads: “Your primary email in du” instead of displaying the full email address.

Du issued a statement yesterday saying: “We would like to assure that we treat our customers’ data privacy with utmost priority.

But for a temporary period, the email IDs of some du customers who use selfcare on were showing, only if they forgot their passwords. This issue has been immediately rectified today."

The company’s action comes on the same day it announced advanced security measures to help protect its customers’ data and information.

Media experts said it was crucial that organisations stored  customers’ personal data securely.

“Any organisation that holds and manages user data online knows it has an enormous responsibility of trust and care, and needs to invest in ensuring it preserves its customers’ security and data,” said Alexander McNabb, a media expert and director of Dubai-based, Spot On Pr.