The data of hundreds of exhibitors and thousands of visitors can be easily read from the website of the Mobile World Congress 2020 in Barcelona. AWARE7 GmbH, a security company from Gelsenkirchen, Germany, has uncovered the potentially unintended API functions with her risk assessment platform RiskRex. Extensive information could be accessed without authentication. To what extent the vulnerability has been exploited by criminals is not known but several offerings of MWC data suggest that this is used in the wild.
API of the Mobile World Congress 2020 website is very informative.
Data security is essential in the telecommunications industry. The Mobile World Congress 2020 is the largest telecommunications exhibition in the world. During routine checks of the security researchers of AWARE7 GmbH the talkative API has been noticed. Criminals have extensive possibilities to access data of participants and exhibitors. The automated retrieval of hundreds of data is possible with one command. Extensive information such as country, city, addresses and telephone numbers can be obtained from 2,956 exhibitors without any obstacles or restrictions. In total, it was possible to view and download 1,749 telephone numbers that are not publicly advertised on any of the profile pages. It was also possible to view and download 1,472 e-mails on the telephone numbers. These data were already offered for sale by third parties via e-mail.
This procedure contradicts/violates the privacy policy of GSMA extensively:
We do not sell personal information to anyone and do not otherwise reveal your personal data to third-parties for their independent use unless (1) you request or authorize it, for instance by registering to a summit or a partner programme, or giving permission to exhibitors and sponsors to scan your attendee badge at the event; (2) it’s in connection with GSMA events; (3) the information is provided to comply with the law, enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) to GSMA affiliated companies; (5) or the information is provided to our agents, vendors or service providers who perform functions on our behalf.
With the new decade, Mobile World Congress has also switched to a new system. In 2019 the data was still static on the website. In 2020 the system was changed to an API. This reveals more than is apparent on the profile. For example, none of the company profiles we examined officially show the telephone number. The API enables us to obtain this information without any problems.
Not only exhibitors are affected – visitor data from MWC 2020 can also be systematically processed
Provided a successful registration for the MWC, extensive data on visitors can be systematically deducted. The somewhat more sophisticated approach allows attackers to collect data from about 16,000 visitors. The information ranges from the e-mail about country, city, address and extensive LinkedIn information such as skills and contacts. This data can be misused for fraudulent purposes.
The Mobile World Congress in Barcelona was informed about the existing security risk on 02/05/2020. According to our findings, the security risk still exists. We have published the whole technical report. We were informed on 02/10/2020 that this conversation was intended and that there was no data protection violation.