Three exposed Brit’s privates with sloppy survey code
Hacker Joseph Redfern has reported a privacy flaw at UK telco Three, which exposed names and email addresses in online surveys.
The telco shuttered the offending survey site and the exposed API which returned the private information in JSON forms when a user entered data.
Refern says the flaw meant any phone number could be keyed into the clear text requests. Doing so would produce the real name and email address of the owner.
“The site was making an AJAX request to an API … over cleartext HTTP passing my mobile phone number in the URL,” Redfern says.
“The response included my Three account number, my full name, my email address and some other account identifier.
“I confirmed that this was the case for other numbers by entering a friend’s phone number [and] sure enough their name and contact details were presented to me.
“Clearly, this information disclosure isn’t ideal. The ability to find out the account holder and contact details behind any Three phone number could come in handy for social engineering attacks, stalking, or spamming.”
Redfern says attackers could brute force British phone numbers and scrape the Three API to compile a database of customers.
“I’d consider it a fairly severe breach of privacy,” he says.
Three did not appear to use the personal information for any obvious part of its survey, according to Redfern.
He says the telco did not respond to his request to be informed when the privacy hole was closed. ®