ACT Fibrenet Account Page Access — Broken Access Control

If you are an ACT Fibrenet customer with a Static IP either at home or at office, this might be of interest and worry to you. There is a flaw in the ACT Fibrenet’s Account/Billing page. Wait, It’s not exactly a flaw but a deliberate weakness in the name of convenience — The account settings page is accessible without any authentication (although accessible only from the ACT pool IPs).

If you access the same page [http://portal.acttv.in/] from a different ISP and then click on My Account button you are prompted to enter the username and password to access the billing page.

However, the problem with the implementation is that any user on the LAN segment or guests at your Office / Home will be able access the your Account’s settings page and make modifications like changing the plans, changing contact email address, phone number and also resetting the password (using changed email address). Also, note that the page is served over HTTP and HTTPS.

Since the Account page does not ask for existing password while making changes to the settings, this can lead to unauthorised modifications.

ACT Customer support was notified about this issue but their response was:

Since you are a static ip user, we have binded your credentials so you need not login every time for accessing internet. Also the information at the portal cannot be edited, as it is only for viewing.

When supplied with additional information about being able to make unauthorised changes without entering our own password, their response was:

As these are the default setting for static customer’s in general. So we will not encourage altering settings. Any how we are suggesting you to block URL on your router end

This kind of implementation is totally flawed. Not a happy customer, If you are an ACT Fibrenet customer, I recommend you bring this to their notice and ask for fixing it!!