Critical security vulnerabilities in MTN Nigeria’s self-service portal have been uncovered that could have potentially compromised the personal data of millions of Nigerian telecom users.
The vulnerabilities exclusively revealed to Web Security Lab could have allowed attackers to access sensitive information, including family members’ details, residential addresses, full names, phone numbers, data balances, airtime balances, recharge history, and tariff plans of MTN customers.
Discovery of Multiple IDOR Vulnerabilities
Security researcher Aliyu Eka made the findings while investigating the portal.
Eka utilised Burp Suite, an industry-standard web application security testing tool, to carry out interception-based testing.
By configuring the tool as a man-in-the-middle proxy, he was able to capture, inspect, and manipulate traffic between his device and MTN’s servers, revealing critical vulnerabilities in the session handling mechanisms.
What he found was alarming: the portal had a session management flaw that allowed modification of phone numbers mid-request, potentially granting unauthorised access to the sensitive data of other MTN users.
Specifically, Eka discovered two distinct Insecure Direct Object Reference (IDOR) vulnerabilities:
- The first vulnerability was found on the https://ninlinking.mtn.ng/ subdomain, which is designed to check if an MTN number is linked to a National Identification Number (NIN). This subdomain lacked proper access controls, allowing potential modification of parameters in the request that could retrieve personal information associated with phone numbers.
- The second vulnerability existed on the selfservice.mtn.ng domain, where customer accounts weren’t properly tied to session IDs. This critical flaw meant that once logged in, a user could potentially change the phone number in requests to access other users’ information without any additional authentication.
Exposed Personal Data
The vulnerabilities potentially exposed sensitive user information, including:
- Full names, dates of birth, and addresses
- Family information linked to user accounts
- Airtime and data balances
- Tariff plan details and recharge history
Eka confirmed that these vulnerabilities were properly reported through official channels and have since been patched,.
Industry Implications
Eka’s findings highlight a pressing issue within Nigeria’s telecom industry: the need for stronger, more proactive security programs and practices.
While MTN swiftly addressed the vulnerabilities, the absence of structured bug bounty programs in many Nigerian organisations means that critical flaws may go undetected for too long.
Notably, MTN has partnered with HackerOne, a widely recognised platform for responsible vulnerability disclosure.
This program allows ethical hackers and security researchers to report vulnerabilities they discover, fostering a more proactive and collaborative approach to cybersecurity.
Such programs are increasingly viewed as a crucial step for companies to strengthen their security frameworks, especially in industries that handle large volumes of sensitive data, such as telecom.
With cybercrime on the rise, Nigerian telecom providers must adopt comprehensive security strategies, including proactive vulnerability management, to protect sensitive customer data and maintain public trust.
