Category Archives: Uncategorized

ACT Fibrenet Account Page Access — Broken Access Control

If you are an ACT Fibrenet customer with a Static IP either at home or at office, this might be of interest and worry to you. There is a flaw in the ACT Fibrenet’s Account/Billing page. Wait, It’s not exactly a flaw but a deliberate weakness in the name of convenience — The account settings page is accessible without any authentication (although accessible only from the ACT pool IPs).

If you access the same page [http://portal.acttv.in/] from a different ISP and then click on My Account button you are prompted to enter the username and password to access the billing page.

However, the problem with the implementation is that any user on the LAN segment or guests at your Office / Home will be able access the your Account’s settings page and make modifications like changing the plans, changing contact email address, phone number and also resetting the password (using changed email address). Also, note that the page is served over HTTP and HTTPS.

Since the Account page does not ask for existing password while making changes to the settings, this can lead to unauthorised modifications.

ACT Customer support was notified about this issue but their response was:

Since you are a static ip user, we have binded your credentials so you need not login every time for accessing internet. Also the information at the portal cannot be edited, as it is only for viewing.

When supplied with additional information about being able to make unauthorised changes without entering our own password, their response was:

As these are the default setting for static customer’s in general. So we will not encourage altering settings. Any how we are suggesting you to block URL on your router end

This kind of implementation is totally flawed. Not a happy customer, If you are an ACT Fibrenet customer, I recommend you bring this to their notice and ask for fixing it!!

Cash or the Card First?

Cash or the Card First?

Found something interesting on my recent time at UAE, and it left me wondering. When you are drawing cash in India at ATMs, you insert the card, enter the pin and cash is dispensed and you take your card back. While is Dubai the order is different. You insert the card , enter pin and carry out a transaction, Card comes out first and only after you take the card back, the cash is dispensed.

We have had cases earlier here in India where people would forcibly pull some of the cash dispensed and then cancel the transaction. There were lot of such fraudulent cases that RBI had to step in and mandate once the cash is dispensed, it cannot be cancelled.

Any thoughts on what is the best practice and who is doing it right ? Banks in India or Dubai ?