2014-11-01

User Data Compromised on Alfa Portal

It has been several months, if not well over a year since I logged into my account on www.alfa.com.lb, the official site of Alfa (managed by Orascum) one of the two local mobile providers.

I was curious today to check some parts of the portal, and as I logged in and was redirected to my own account info, I discovered, to my amazement, that although my password had remained unchanged, and my mobile number was still associated with my username "patrick", the entire profile was wrong and showed someone else's info.

I have to give you a brief background on why this is important for me. Back in my early career in the year 2000 (read it like Conan O'Brien would) I was the lead developer with Cellis -France Telecom when the portal was created under the name Plugged.
I also was the lead on the portal re-branding into what was the basis of its current form heading the Web Development in the company until the time I left in 2011 when I started my own venture Sharp Lemon.

My username had been coveted several times in the past, maybe for its simplicity, but I only used to get "password reset" requests, until those requests stopped and I figured that, most likely, no one is sending Web-to-SMS anymore, and perhaps Alfa have implemented a stringent login process since then.

My discovery below surprised and worried me for one major reason:
I know, from first hand experience with the Bureau of Electronic Crime, that SMS sent from the Alfa portal make the account holder liable for the info sent from it, in cases of breach of law (harassment, threats or any illegal activity). So, imagine the implication if someone had access to your Alfa account. It also meant they could see vital information regarding your phone calls and other activities.



I personally believe the portal suffers or has suffered from a serious vulnerability, that has allowed someone to modify profile information, without accessing passwords, which were according to my knowledge hashed in the database.
The other, more benign, alternative is that during some internal data migration, Alfa have really messed up some data sets and people's profile info ended up associated other persons' accounts.

I have since updated my info, although I cannot seem to find a link to where I can update my password. It's either dug in so deep or someone has considered that changing a password is a feature not really necessary for a site of this caliber.

Either way, this is an alarming incident for me and I invite you if you have used or are still using the alfa's portal to check your account and let me know in the comments if you have faced similar incidents.

Too bad Alfa, just when I was starting to think you had gotten your act together again finally!