Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this.


Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.

It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:

http://mobile.three.co.uk/om_services/threeuserinfo/headers?app_id=ThreeAppIphone

Open that URL on any Three phone and you’ll get a (badly formatted) XML document with the user’s mobile number as well as as some account numbers presumably used for their internal billing.

This only happens on the default three.co.uk APN - fortunately there is another 3internet APN that seems to work fine (no billing issues nor extra charges) so if you are a Three customer please use that APN instead to defend against this.

 Disclosure timeline

 
6
Kudos
 
6
Kudos

Now read this

Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

Install GnuPG and a decent PIN entry program $ brew install gnupg2 pinentry-mac Configure GnuPG We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent. In ~/.gnupg/gpg-agent.conf:... Continue →