Information security researcher Amitai Dan revealed today that an Orange tool made it possible to expose ultra-Orthodox people using non-kosher phones. He said it also made it possible to gather intelligence on company phones and phones installed in vehicles. After Dan's report, the company blocked the ability to use the tool without unique identifying information.
The journalist Oded Yaron from Haaretz' The person who uncovered the story explains that, according to the researcher, the system in question, which was originally built for Orange's bookselling service, was used to identify the user's device. But the system, under the title 'portalXml Web Service - Orange', allowed anyone who accessed it to search by phone number and find out which device was associated with the number.
Orange emphasized that the system was not a visible part of the company's website, and could not be accessed via a direct link from it. But Dan demonstrated how he reached it by simply searching Google for the string "msisdn.co.il." The term msisdn simply refers to the phone number. That is, anyone who knows another person's phone number could find out which device was associated with it with a simple search - if only they knew what to look for.
Want more news, videos and stories? Join the Haredim 10 WhatsApp channel >>
Dan explained that this option could be used by attackers in several cases - when an attacker wants to break into a regular customer's phone, knowing the type of phone can be very useful to them in order to know what they are dealing with. He added that knowing the phone model can help those who are targeting companies or organizations that use what is known as a "number floor" - that is, a group of consecutive phone numbers whose only the last digits are different.
With the publication of this, great concern arose in the Haredi sector, due to the possibility that it provided exposure to anyone who secretly used a "non-kosher" device.
Partner responded: "This is an isolated case that was handled immediately upon becoming aware of it over two months ago. It should be emphasized that the link in question is not part of the company's website and can only be accessed using designated identification information.""
