SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

SonyLIV has over 100 million downloads on Google Play.

Advertisement
By Jagmeet Singh | Updated: 20 December 2019 17:14 IST
Highlights
  • SonyLIV had the flaw in one of its APIs used for login purposes
  • The flaw could be used to perform social engineering and other attacks
  • SonyLIV website and apps were affected by the vulnerability

SonyLIV has assured that the data of its subscribers remain safe and protected

SonyLIV has fixed a security flaw that could have allowed attackers to fetch sensitive user information such as profile picture, email address, date of birth, name, and phone number of its registered users. The flaw that existed in one of the APIs of the over-the-top (OTT) platform owned by Sony Pictures Networks could have been exploited simply using the email addresses of registered users. The platform uses the API to perform backend tasks such as providing the login option to existing users and fetching their account details. SonyLiv confirmed the fix to Gadgets 360 and assured that the data of its subscribers remain safe and protected.

“A bug that could have affected accounts using social media IDs for logging onto SonyLIV has been identified and removed. Data of all our subscribers remain safe and securely protected,” a SonyLIV spokesperson said in a prepared statement emailed to Gadgets 360.

Advertisement

The flaw was discovered by Bengaluru-based security researcher Ehraz Ahmed within the login process of SonyLIV. He showed a proof-of-concept (PoC) to Gadgets 360 last week. By passing a cURL request manually, Gadgets 360 was able to verify the vulnerability and notified SonyLiv of its its existence.

The IT team at SonyLIV started working on the fix soon after the issue was highlighted by Gadgets 360 and took a few days to make sure that it's been applied across all the apps and Web platforms. Since the flaw existed in the API designed for login functions, it had affected SonyLiv's mobile apps as well as its website.

Advertisement

Ahmed while speaking with Gadgets 360 underlined that finding the flaw was quite easy since SonyLIV didn't use any major security rules to protect backdoor access.

“The attackers could fetch sensitive user information in a few minutes using the vulnerability,” the researcher said.

Advertisement

After gaining access to the security loophole, a bad actor was required to just use the email addresses of one of the signed in SonyLIV users to gain their sensitive information. Additionally, the researcher explained that the vulnerability could be used to acquire the authentication token to gain full access to the user account. This means that the attackers would be able to log in to the user account using the authentication token by exploiting the reported flaw. The token could also be used to access other APIs of SonyLIV.

“It could cause a massive data breach, and the flaw was a risk to all the registered users as it could leak their sensitive information on the Web,” Ahmed told Gadgets 360. “The attackers could use the information fetched to even perform social engineering and other attacks.”

Advertisement

The researcher developed a script that was sending a request to the affected API and fetched user information along with the authentication token. He also created a video and published a case study detailing the flaw that both were unlisted and private until the fix was confirmed to Gadgets 360.

 

SonyLIV provides access to various TV shows that broadcast on channels owned by Sony Pictures Networks. Also, the platform, launched back in January 2013, provides access to live sports matches and live channels such as Animax HD, Sony BBC Earth, and Food Food among others. A paid subscription to SonyLIV is also available starting at Rs. 99 a month that brings access to live TV, premium shows, movies, and sports events.

The Android app of SonyLIV has over a 100 million downloads, as per the listing available on Google Play. However, the total number of registered users hasn't been disclosed.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement
Popular Mobile Brands
  1. iPhone 18 Pro Max Might Arrive With Apple's Biggest Battery Yet
  2. Alienware 15 Arrives in India as Dell's Most Affordable Gaming Laptop Yet
  3. Samsung Galaxy S25 Ultra to Drop Below Rs. 85,000 in Amazon's Prime Day Sale
  4. Asus Vivobook 15 (2026) Launched in India Ahead of Amazon, Flipkart Sale Events
  5. Best Mobiles To Grab During The Flipkart GOAT Sale
  6. Amazon Prime Day Mobile Offers 2026: Best Deals on OnePlus, Nothing and More
  7. Nokia 235 4G (2026), 215 4G (2026) Launched; Nokia 210 4G, 200 4G Tag Along
  8. Amazon Prime Day 2026: Best Deals on Smartphones Under Rs. 30,000
  9. Flipkart GOAT Sale: Top Early Deals on Smartphones, Tablets and More
  10. Huion's 2026 India Lineup Defines Next-Gen Creativity
  1. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  2. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  3. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  4. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  5. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  6. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  7. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  8. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  9. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
  10. Redmi 17 5G NCC, SIRIM Certification Listings Reportedly Reveal Battery and Charging Details
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.