M1 briefly suspended pre-orders for the iPhone 6 and iPhone 6 Plus after a serious security vulnerability was found on its website over the weekend.
Access has since been restored, and the telco has apologized and said that it will be conducting a full review of the incident.
The problem was found by an M1 customer who identified himself as a computer science postgraduate student. He had managed to access the personal data of the telco’s customers and alerted the company to the loophole with a post on its Facebook wall on Sunday evening.
The man said he was able to access information such as phone numbers, NRIC--the national identity card in Singapore--as well as home addresses. According to him, the “simple, silly error” could have resulted in the entire database of signups being downloaded in the span of hours.
“M1 places the utmost priority in protecting our customer data and privacy and has implemented strict processes and procedures to safeguard customer information including regular security audits,” said M1 on its Facebook page on Monday after the pre-order page was restored. “We will be conducting a full review on this incident, and we sincerely apologize for the inconvenience caused.”
We reached out to Wong Onn Chee, a noted security expert and the managing director of Singapore-based Infotect Security, for his take on the incident. Wong attributed the debacle to an access control issue known in security parlance as “Insecure Direct Object Reference”.