arsyan's virtual playground

Maxis Billing System Bug

2010-10-04 14:02:05


One of the most lousiest billing system i have ever used. They recently had an upgrade few months back, they shutdown their online billing for about a month or so, "KONONNYA" upgrade but they are still using the shitty "MUST ENABLE POPUP" in order to view their billing system. I dont know what the hell for, i dont see that its a security mesure to use popup. (Well maybe it is lah kot since Maybank2u TAC also uses popup) I mean come on guys, you have the resources to hire the best web developers out there, i was expecting an upgrade that wouldn't require me to enable popups and a better interface to understand my bills.



So today, i was logging in my maxis account and i found that it has logged me on a different account. And each time i logout, and re-login, it will bring me to another new account. And i've been seeing other people's emails and telephone number and also be able to browse their phonebook that they backed up with maxis. THIS IS A HUGEEEEE breach of privacy. I tweeted about it and got re-tweeted by some of the influential people on the twittersphere. Then later, i got a phone call by Caroline (their social media rep i think) demanding me to remove my screenshot due to privacy. Ok, i admit that i screenshot the phone number and email without masking it, so fine, my bad. I will now re-post the screenshot whilst masking some part of the number and names k?

In example of how dangerous this bug was, im logged in under a girl name Norhayati and i also can see her phone number and email. So I used her email and Facebook-ed her up and Friendster-ed her up and now i know her friends, her age, her number. Wow great job Maxis. For the past hours your system has been stalkers greatest tool ever. LOL. Sammore got phone number you can call and harass. This doesn't just happend to my account. All my colleagues are viewing other peoples account when they logged in their account so its affecting the system globally. Imagine how many people logging in in the beginning of the month to pay their bills and found out that they are actually in another persons account.



Thats not the end of it. I can now browse her phonebook too! ZOMG O_O !!! Can harass her friends sammore.


And when i logout and re-Login. I got another persons id. WOW. Syioknyer... I can do this all day... I didn't believe it at first, but it was real, definitely real.


Nargesh (I tot it was a guy at first) but it turns out, she's a hottie! Poor girl, sure kana harass already by someone who has logged in to her account by accident and revealing her number and email, and all her friends phone number exposed.


Ive been a customer for Maxis for more than 10 years, and for the recent years they have been pissing me off a lot of times with shitty ridiculous service. Wrongly replace my sim card la ni la tu la, macam macam masalah. If it's not because of iPhone and their wide 3G coverage for mobile data and multisim solution, i would have left this shitty arrogant telco for the longest time already. If us twitteres and bloggers hadn't had shouted and notify you about this bug you wouldn't have noticed it and a lot more people would have been victim of privacy breach. Please re-vamp your billing system to a world class telco or at least to a standard that doesn't require you to enable popups.

UPDATE:
Maxis doing damage control and replied:
"MaxisListens: @arsyan @demonick As a result, customers who logged in to the portal were able to see a TEST A/C which was not a valid Maxis cust?s profile."


BULLSHIT! My colleague called the person that he was logging in as and ask if he had any problems logging in his maxis account. How could a test account answered the phone, and how could a test account email search-able in facebook and friendster. Tipu la Maxis ...

UPDATE 2:
@arsyan The number may be real. However, there is no real association between the profile & user. @demonick

Yelah yelah Maxis.. Ape ape lah. Kau nak menang menang lah .. We all know the truth! (http://twitter.com/kukujiao/status/26339866142) If it was a fake TEST Account why would you called me up demanding me to remove the screenshot that had exposed the number? Contradicting yourself issit?

UPDATE 3:
Maxis lied to us. It was no test account. It was a real person, and that person has no idea.


UPDATE 4: (from Lowyat.net)

MAXIS MEDIA STATEMENT
6 OCTOBER 2010
ELECTRONIC CUSTOMER SERVICE (WEB)

Maxis Berhad would like to assure its customers that we are committed to customer confidentiality. This is following feedback that a technical issue was detected in our electronic customer service (eCS) system. Immediate steps have been taken and the issue was resolved within hours. We will be contacting affected customers to update them of the situation. Customers who have further enquiries may contact Maxis customer service at 1800 821 123 or customercare@maxis.com.my.


I hope whatever problem that caused such a fiasco was fixed permanently and kudos to Maxis for patching it in a timely manner. A word of advice however on twitter, don't flat out lie to customers. If there is a problem, admit it and fix it, we can smell bullshit a mile away. I would have rather heard a "There is a problem, we're sorry and are working hard to fix it" over the "It was just a test account, the phone numbers are false, not our fault, nothing's wrong..." malarkey. Ah well, lesson learned! The internets can be a cold and unforgiving place.

UPDATE 5:
Newspaper coverage as follows:
1. http://techcentral.my/news/story.aspx?file=/2010/10/8/it_news/20101008163235&sec=it_news