Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this.

Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.

It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:

Open that URL on any Three phone and you’ll get a (badly formatted) XML document with the user’s mobile number as well as as some account numbers presumably used for their internal billing.

This only happens on the default APN - fortunately there is another 3internet APN that seems to work fine (no billing issues nor extra charges) so if you are a Three customer please use that APN instead to defend against this.

 Disclosure timeline


Now read this

Strongswan VPN for iOS quick-start guide

Here’s a really basic Strongswan configuration for a single client, authenticated using a PSK. This has been successfully tested with iOS 10 but should work on any other decent OS. It can be useful to secure traffic from public Wi-Fi or... Continue →