HomeResourcesCase StudiesVietnam Telecom API Pen Test
Penetration TestingTelecomTelecom · Vietnam

Vietnam Telecom Operator: 14 API Vulnerabilities Remediated Before 5G Launch

A Vietnamese telecom operator commissioned CREST web and API penetration testing before launching a 5G consumer platform — 14 vulnerabilities including 3 critical authentication bypass flaws were found and fixed before go-live.

CREST Pen Testing · 5G Platform
14
API Vulns Remediated Pre-Launch
3
Critical
312
Endpoints
28d
Timeline
Zero
Post-Launch
Industry
Telecommunications
Service
CREST API + Web Application Pen Testing
Timeline
4-week engagement before platform launch
Technology
CardIntel + OWASP API Security Top 10
The Challenge

New API Platform, MIC Compliance, 6-Week Launch Window

A Vietnamese telecommunications operator was launching a 5G consumer self-service platform — a REST API platform with a consumer mobile app, web portal, and third-party developer API. The Ministry of Information and Communications (MIC) requires security testing documentation for major platform launches by licensed telecoms providers.

The platform had been through two internal code reviews during development. However, code review and penetration testing address fundamentally different risk categories. Code review identifies implementation flaws at the source code level; penetration testing identifies vulnerabilities in the running application as an attacker would encounter them — including configuration issues, business logic flaws, and inter-service communication weaknesses that code review cannot detect.

The operator's CISO required external CREST penetration testing with an OWASP API Security Top 10 scope before launch sign-off, with 4 weeks available before the go-live date. The platform's architecture added scope complexity: 3 API versions were maintained simultaneously (v1 for legacy integrations, v2 for the consumer app, and v3 for the third-party developer portal), each with its own authentication and authorisation model.

The 5G platform was expected to serve 2 million subscribers within its first year. The reputational and regulatory risk of launching with undetected API vulnerabilities — particularly in authentication and billing — was unacceptable. A single authentication bypass vulnerability could expose the personal and billing data of every subscriber on the platform.

  • 5G consumer platform with 312 API endpoints across 3 API versions
  • MIC requires security testing documentation for major telecoms platform launches
  • 4-week window before go-live date
  • 2 million expected subscribers in first year
  • Consumer mobile app, web portal, and third-party developer API all in scope
EIC's Approach

OWASP API Security Top 10 + Business Logic Testing

EIC deployed a structured 4-phase API-focused engagement using CardIntel for endpoint enumeration followed by manual CREST testing against OWASP API Security Top 10 (v2023) plus telecoms-specific business logic scenarios.

Phase 01 · Days 1–3

API Surface Mapping

CardIntel enumerated all API endpoints: 312 unique endpoints across 3 API versions. Authentication tokens, rate limiting, and error handling mapped before testing began.

Phase 02 · Days 4–14

OWASP API Top 10 Testing

Full OWASP API Security Top 10 (v2023) plus business logic testing for tariff manipulation, account takeover, and SIM swap fraud vectors. 14 findings: 3 Critical, 5 High, 6 Medium.

Phase 03 · Days 14–22

Remediation Support

Fix-level guidance for all 3 criticals and 5 highs. Development team remediated in parallel. All 3 criticals confirmed fixed by day 20.

Phase 04 · Days 22–28

Retest & MIC Docs

All 14 findings retested. Zero criticals or highs remaining. Retest report issued. MIC security testing documentation package produced.

Critical Findings

Three Critical Vulnerabilities That Could Not Reach Production

The three critical vulnerabilities discovered during testing represented the exact category of findings that justify pre-launch penetration testing investment. Each would have been exploitable by a moderately skilled attacker and each had direct impact on subscriber data or financial transactions.

The first critical finding was an authentication bypass on the account management API (v2). By manipulating the JWT token payload and exploiting a signature verification flaw, an attacker could generate a valid session for any subscriber account. This would have allowed access to subscriber personal data, call records, and account management functions for any of the platform's users. The fix required implementing proper JWT signature validation and adding server-side session verification.

The second critical was an Insecure Direct Object Reference (IDOR) vulnerability on the billing API. An authenticated subscriber could modify the account ID parameter in billing API requests to view other subscribers' billing history, payment methods, and outstanding balances. For a telecom operator serving potentially millions of subscribers, this represented a massive data exposure risk.

The third critical involved JWT token lifetime misconfiguration. Access tokens were configured with a 30-day expiry and no refresh token rotation. A stolen token would provide persistent access to a subscriber's account for an entire month without requiring re-authentication. Combined with the authentication bypass vulnerability, this created a scenario where an attacker could maintain persistent access to any subscriber account indefinitely.

The 90-day post-launch period validated the testing investment: zero security incidents were reported against the platform in its first three months of operation with live subscribers. The MIC documentation package was accepted without additional requests, and the operator's security team received the full retest evidence package for their ongoing vulnerability management programme.

Results

Measurable Outcomes

14
API vulnerabilities found and remediated before launch
3
Critical authentication bypass flaws prevented from reaching production
312
API endpoints mapped and tested
Zero
Security incidents reported in the 90 days post-launch
"
The IDOR vulnerability on our billing API would have allowed any authenticated user to view other customers' bills. Finding that before 2 million subscribers were on the platform is exactly the kind of outcome that justifies this investment.
Chief Security Officer, Telecoms Operator, Vietnam
Services & Technology in This Engagement

Launching a Platform or API? Test Before Launch.

Schedule a 30-minute scoping call and we'll assess your API surface and recommend a CREST penetration testing engagement with OWASP API Security Top 10 coverage.