Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this.

Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.

It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:

Open that URL on any Three phone and you’ll get a (badly formatted) XML document with the user’s mobile number as well as as some account numbers presumably used for their internal billing.

This only happens on the default APN - fortunately there is another 3internet APN that seems to work fine (no billing issues nor extra charges) so if you are a Three customer please use that APN instead to defend against this.

Disclosure timeline #


Now read this

Blockchains for non-cryptocurrency applications don’t make sense

There’s a lot of hype going around about blockchains and pretty much everyone is attempting to put something (including physical assets) on the blockchain. However, most of these use-cases don’t make sense to me and I’d like to explain... Continue →