Telfort customer data leak shows potential perils of unofficial apps

Published by at

A third party Windows Phone app, Abonnement Status, was responsible for leaking the phone numbers and passwords of just over a thousand customers of Dutch telecoms operator Telfort, according to a story filed by the regional newspaper de Gelderlander. The app, which was self-described as unofficial, was traced as the source of a list of customers details that appeared on a public web server.

As a result of the security breach the operator, a subsidiary of KPN, temporarily shut down the the My Telfort section of its website. The MyTelfort section of the website is used by the operator's customers to edit personal information, view balance information, and change their tariffs.

Abonnement StatusAbonnement Status

In a statement KPN noted that the app would be removed as soon as possible:

The credentials of some thousand customers [were made available] through an unofficial app on an external site. It is information that customers had entered in a fraudulent external app, downloaded the from the Windows Phone store... Microsoft has informed Telfort that the app will be removed from the store as soon as possible... Telfort warns customers to never download or use unofficial apps.

It is not clear whether the app was created with malicious intent, but the app did make use of the official Telfort logo, which is a clear breach of the Windows Phone Store terms and conditions. The app does appear to have provided the functionality described in its Windows Phone Store description, so it is possible that the leaking of information may have been accidental, but in either scenario the incident offers a good example of the dangers inherent in using third party apps.

A common sense approach would suggest avoiding using unofficial apps for any services that contain, or have access to, any kind of sensitive private data. The issue with third party apps is that there is no easy way of knowing what is happening to your data, or whether data is being passed through a third party server. That's also true, to an extent, of official apps too, but third party apps are, quite understandably, not covered by the protection obligations implicit in an official app.

Via: ZDNet

Source / Credit: de Gelderlander