Three phone number leakage vulnerability
TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the
3internet APN to defend against this.
Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.
It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:
Open that URL on any Three phone and you’ll get a (badly formatted) XML document with the user’s mobile number as well as as some account numbers presumably used for their internal billing.
This only happens on the default
three.co.uk APN - fortunately there is another
3internet APN that seems to work fine (no billing issues nor extra charges) so if you are a Three customer please use that APN instead to defend against this.
Disclosure timeline #
- 9/07 - initial contact with Three customer support
- 17/07 - raised a formal complaint with Three and the ICO
- 23/09 - no news from either Three nor the ICO - vulnerability still present, blog post published
- 23/03/18 - URL and response format changed, but vulnerability still present as the My3 app can still log into the user’s account without providing any credentials