Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this.


Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.

It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:

http://mobile.three.co.uk/om_services/threeuserinfo/headers?app_id=ThreeAppIphone

Open that URL on any Three phone and you’ll get a (badly formatted) XML document with the user’s mobile number as well as as some account numbers presumably used for their internal billing.

This only happens on the default three.co.uk APN - fortunately there is another 3internet APN that seems to work fine (no billing issues nor extra charges) so if you are a Three customer please use that APN instead to defend against this.

 Disclosure timeline

 
6
Kudos
 
6
Kudos

Now read this

Storing OAuth credentials in Django models

A common requirement for my Django apps is to interact with third-party APIs on behalf of its users, most of which use OAuth for authentication. I now realise Python Social Auth is a solution but I wasn’t aware of it at the time. In any... Continue →