The world’s top companies use wandera Learn Why Try Wandera for Free

Mahavitaran sparked concern with leaking customer app

Mahavitaran sparked concern with leaking customer app

1100 733 Liarna La Porta

Paying utility bills is a drag so most utility companies these days have set up a range of different payment options, including mobile apps, to make payments more convenient for their customers. Despite their good intentions, utility companies may not be aware a data leak is adding the cost of your stolen PII to your monthly bill.

Mahavitaran is the second largest electricity distribution utility in the world and supplies electricity to a staggering 22 million consumers across the Maharashtra region in India.

The company’s mobile app, “Mahavitaran Consumer App”, has between 100,000 – 500,000 installations. It’s primarily used by customers to view and pay their bills online, as well as apply for a new connection.

data leak

Wandera’s threat intelligence technology MI:RIAM identified instances of a data leak that affected both the iOS and Android apps of Mahavitaran, which put customer information at risk of theft.

Download the full Threat Advisory

How does the data leak happen?

At almost every stage, including during user registration and login, in new connection requests and for payment transactions, the app was leaking users’ personally identifiable information (PII). This includes customer credentials, like username and password, leaving them totally exposed to hackers.

Using MI:RIAM, the Wandera team has also identified that the parameters which are sent to the app’s backend were vulnerable to SQL Injection, which essentially means that the full client database of Mahavitaran would be at a hacker’s mercy.

SQL Injection explained

SQL injection attacks allow attackers to spoof identity, tamper with existing data, void transactions, changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. The severity of SQL Injection attacks is limited by the attacker’s skill and imagination and should be considered a high impact risk to an organization.

Electric-Shock-data-leak

What is being exposed in the data leak?

The following PII was exposed when a user registers on the app:

  • Username
  • Password
  • E-mail address
  • UID
  • Date of birth
  • Pin
  • Billing unit
  • Consumer number
  • Bank account number
  • Mobile phone number

The following PII was exposed during the login procedure:

  • Username
  • Password

The following PII was exposed when a user pays his/her bill:

  • Username
  • Password
  • Customer number
  • First and last name

The following PII was exposed when users update their information:

  • E-mail
  • Phone number

The following PII was exposed when users request a new connection:

  • E-mail
  • Phone number
  • First and last name
  • Address
  • City

electricity-data-leak

What can your business do to avoid being impacted by a data leak?

Global firms with any kind of presence in India should have an active mobile security service deployed. These technologies should have filtering and blocking functionality that happens at the data level to block traffic to leaky apps to prevent a data leak.

This will keep all devices in corporate fleets protected from a data leak, even those that are jailbroken, employee-owned or otherwise outside EMM control.

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta