Exposure of Unicom's high-risk vulnerability: leaked call records The response is called an experimental system

YesterdayVulnerabilitiesThe platform Wuyun released a message saying, "China UnicomThere is a vulnerability in a certain system", through which any user's call records, SMS sending and receiving records, geographical location, and logged-in social accounts can be queried. To thisUnicomThe official response said the system wasChina UnicomThe experimental system contains only a small amount of test simulation data. After China Unicom learned of it, it immediately fixed the vulnerability. No public information leaks have been found at this time.

Yesterday afternoon, the white hat "Passerby A" submitted information on the dark cloud of the vulnerability platform that there is a vulnerability in a system of China Unicom, through which any user's call records, SMS sending and receiving records, geographical location and logged-in social accounts, etc. can be queried, and the vulnerability has a risk level of "high", which has been handed over to a third-party manufacturer (CNCERT National Internet Emergency Center) for processing.

It is said that the vulnerability here only needs to know the target user's mobile phone number, and can obtain its detailed call records (mobile phone number, duration) and even the social network account information (QQ, Weibo, etc.) that the number has used, and at the same time, it can also obtain the email account, mobile phone IMEI, mobile phone model, and even lock the user's geographical location.

In this regard, the relevant person of the Wuyun platform said that the vulnerability does exist, and the level of harm is high, and the possible harm caused by the vulnerability mentioned in the description is also true. He also said that the vulnerability entry here is indeed a low-level vulnerability that should not appear. At present, the details of the vulnerability have been notified through cncert.

Relevant people from China Unicom said that the vulnerability is a vulnerability in an ongoing project of China Unicom Research Institute, not a national system. After Wuyun discovered the vulnerability, he immediately informed China Unicom that China Unicom's technicians were repairing it, and China Unicom's monitoring showed that there was no information leakage problem.