Information security in the field of telecom on the example of Megafon

I believe that in the field of telecommunications, there must be increased security attention, it's people, money, information ...

What motivated me to write this article. I recently wrote to megafon about a vulnerability in an online store, the vulnerability was fixed, but they can't say a trivial thank you.

All vulnerabilities demonstrate methods of obtaining information and should not be used for hacking.

So let's start in order:
')

1. shop.megafon.ru
Passive XSS - si_price_from parameter filtering is insufficient. more precisely, the developer thought why filter if there is a slider and a hidden field is not visible. Already fixed.

2. http://vrn.megafon.ru/pdfd.action?url=/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS - insufficient filtering of the URL parameter.

3. https://oauth.megafon.ru/login?msisdn=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&p=%22%3E%3Cscript%3Ealert%28document.cookie% 29% 3C% 2Fscript% 3E & login = Login
XSS - neither login nor password is filtered.

A superficial glance and 3 XSS, found without much difficulty. So this is why even elementary things like small XSS are simply ignored. I haven’t checked bank.megafon.ru yet, but I think the situation there is rather deplorable, so I wouldn’t particularly trust the megaphone for my money, information and personal data - at least since there is no redirect from http to https in the Megaphone store.