Beware! A very serious security issue in Angel Broking: Anyone can see the documents you uploaded if they know your phone number

VarunAgw · June 20, 2020, 3:10pm

Here is how to reproduce the issue:

Visit https://www.angelbroking.com/open-demat-account
Enter the phone number you want to view details for.
If they signed up for the platform, you will get all their details and see the documents they uploaded. They don’t do any mobile number OTP verification.

For a demo: I created a dummy profile using 9324116954. Try entering this number in the form. Don’t worry it’s unused phone number from angel broking support team, so no harm to anyone.

The example shows the account which is not fully created. While I am yet to test for a fully created account, I think it might also work for them too (although with some extra complicated steps).

Edit: I have already contacted them. Posting it to raise awareness since they obviously don’t care.

Prakhar_Agrawal · June 20, 2020, 3:25pm

@siva it isn’t legal right , to have such loosenes in security and privacy

unofficed · June 20, 2020, 7:46pm

The Support guy should be fired. Let me escalate the issue with them. This is serious. Thanks for posting.

cvs · January 22, 2022, 2:13pm

@VarunAgw @unofficed What happened next? Is the above security issue resolved now?