Well, if you read the ‘responsible disclosure’, you’ll see this part:

“This happened around March — April and by now, a lot of it has already been patched up and rectified (hopefully).”

So I did all these close to five months ago, when there wasn’t any sort of authentication.

“Most of the requests contained an ‘imsi’ parameter (IMSI being a unique id assigned by the network for your device) and an ‘nic’ parameter (your NIC or passport number) which weren’t really being validated, so sending empty or null values somehow seemed to work.”

I tipped a couple of people at Dialog about it afterwards with my findings. NIC and IMSI validation was added, Authentication was put in (which is why you now get an ‘auth failed’ error), they removed the stack trace from the error messages, and that’s how I know it was (again hopefully) patched.

I’m not sure where I said that it was possible “a little while ago”, if you read the ‘responsible disclosure’ again, I’ve mentioned that it was done around March — April.

I hope that clears any doubts you might have, and if anything, please feel free to ask me c: