The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click “SIGN IN WITH SIM”.
Steps to replicate:
You should have two phones – one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).
Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone
Install Jio app from playstore and open. When it is asking for authentication, click “SIGN IN WITH SIM”. Now you will be able to access the Jio account from your non-Jio mobile.
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details. Also, some of the details can be edited.
Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won’t be able to log in to your Jio app unless the other person logs out from the app.
If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.
Let’s say that you are in public place and a stranger(attacker) asking for Internet connection to check his email. If you share the Internet, it is enough for the attacker to steal your sensitive information.
The issue can be resolved by adding OTP Check when doing authentication.
We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.