cancel
Showing results for 
Search instead for 
Did you mean: 
SOLVED
  • The questioner has marked this post as solved.
  • Closed

My Swisscom Android App Bug (Security related)

Highlighted
Contributor
1 of 9

Hey Guys

 

I think i have just found a bug with the My Swisscom app on android. My phone was blocked due to not paying all of my bills, therefore i asked a friend of mine to open up a mobile hotspot using his phone (swisscom customer). Once i connected my phone to his hotspot i decided to check my bills using the My Swisscom app also on my phone. The app performed an autologin after i started it. While checking my bills i realized that these were not the bills for my phone nummber but the ones for my friend.

 

I consider this a serious security bug in the app. Using this app it is also possible to subscribe to multiple roaming data and/or phone plans. So not only could i see all his bills and phone nummber but could have also caused him to subsctribe to new services all using my own phone connected to his mobile hotspot.

 

The app description on the Google Play Store:

 

••••• LOGIN •••••

You can access My Swisscom via the Swisscom mobile network or via a WLAN connection. Within the Swiss 3G network, you will be automatically logged in by identification of your NATEL® number. You will need your Swisscom Login if you are using a WLAN connection. You can also use your NATEL® number to log in. 

 

I guess the check for WLAN or 3G does not take into account the case of a mobile hotspot.

 

Can anyone reproduce this using other phones and setups?

 

If this is really possible I hope this gets looked at as soon as possible

 

Kind regards

UdK.cH

MOST HELPFUL ANSWER

Accepted Solutions
Highlighted
Swisscom
7 of 9

Hello everyone

 

Thank you for pointing this out. We know about this issue already and our specialists are working on a solution. We are planning to roll out the fix during the next weeks.

 

In general, we advise our customers to always protect their personal hotspot with a password in order to prevent unauthorized access by third parties. You can keep track of the issue at www.swisscom.ch/status under "Security note regarding personal hotspots ".

 

Best regards
Swisscom

8 Comments
Super User
2 of 9
Auto login ?

Under iOS, you have to login using a natel or Swisscom login.

How would the Auto login work?
Highlighted
Contributor
3 of 9
A mobile hotspot is not a full functional router. Any device channeled thru it will use the phones credentials to access MySwisscom. This is documented elsewhere on the Swisscom web!
rws
Highlighted
Contributor
4 of 9
Do you by any chance have a link to where it is documented?

I consider this a serious risk. Do you not agree? If it is as you say this should atleast be documented in the app description in the section I quoted.

I would guess this is absolutely something that is easily patchable. All you would need to to is call the networks state of the phone before login. Since the phones network state is WLAN it should be possible to disable the autologin at this point.

Correct me if I'm wrong.
Udk. cH
Highlighted
Contributor
5 of 9

 

When the MySwisscom app (v5, Android) is installed and first used, this is mentioned on the Terms of Use page prir to using the app for the frst time.

 

It is noted that the account owner can disable the automatic sign-in on their Customer page.

 

When the user explicitely logs out of the MySwisscom app then there will be no automatic login.  Next account to login is choice of the user.

 

Personal commentary: using a friends portable hotspot ought to be considered fairly safe as one assumes a relationship of trust and connecting requires a password if setup and security is properly followed.

 

Quote from the Help page within the MySwisscom app:

 

  

 

 

Highlighted
Contributor
6 of 9

The  quote mentioned in prior post:

 

-------------------------------------------------

How can I disable the automatic login?

 

When connected to the 3G net, My Swisscom is able to recognise your mobile phone numer and will log you in automatically. You can disable the automatic login in the Swisscom Customer Center.

 

Visit www.swisscom.ch/customercenterLog in using your Swisscom Login

 

On the left-hand side click on "My details"On the middel of the page you will now see the category passwords & logins: click on "Change NATEL® login"

 

You will now see one or more mobile phone numbers. Choose the number that belongs to the device on which you wish to disable the automatic login, click on "Change"

 

Now untick the box "Autmatically via SIM"Click on "Continue"

 

Protect your smartphone data in case of theft or loss.Regardless of whether you are using the automatic login or not, please make sure to protect your personal data using your device's password lock feature.

-------------------,-----------------------

Highlighted
Swisscom
7 of 9

Hello everyone

 

Thank you for pointing this out. We know about this issue already and our specialists are working on a solution. We are planning to roll out the fix during the next weeks.

 

In general, we advise our customers to always protect their personal hotspot with a password in order to prevent unauthorized access by third parties. You can keep track of the issue at www.swisscom.ch/status under "Security note regarding personal hotspots ".

 

Best regards
Swisscom

Highlighted
Contributor
8 of 9

Hello AndersF

 

Thank you for your reply and the link to the issue. Im happy to see this issue is being taken serious. It is good to see that it has been found by someone a month before me.

 

I hope this will be fixed as soon as possible. Once an update is available on the google play store i will test and report back to this thread

 

Kind regards

UdK.cH

Highlighted
Expert
9 of 9

Hello everyone

 

With the My Swisscom App Version 5.2 (released 30.05.2013) we have fixed this bug. In the past the “silent login” was activated for every customer by default. Now every customer needs to activate the “silent login” if he wants to use it.

 

If you set up a personal hotspot on your mobile phone and allow it to be used by third parties, we ask you to disable automatic login. This will ensure that a third party cannot take advantage of the hotspot in order to access your customer information.

 

Best regards

Liebe Grüsse

PascalW

Meine Spezialgebiete:
Customer Care Support (Mobile & Fixnet)
Social Media Communities
Back to top