Three exposed Brit's privates with sloppy survey code

Dumb API spewed too much information says security chap


Hacker Joseph Redfern has reported a privacy flaw at UK telco Three, which exposed names and email addresses in online surveys.

The telco shuttered the offending survey site and the exposed API which returned the private information in JSON forms when a user entered data.

Refern says the flaw meant any phone number could be keyed into the clear text requests. Doing so would produce the real name and email address of the owner.

"The site was making an AJAX request to an API … over cleartext HTTP passing my mobile phone number in the URL," Redfern says.

"The response included my Three account number, my full name, my email address and some other account identifier.

"I confirmed that this was the case for other numbers by entering a friend's phone number [and] sure enough their name and contact details were presented to me.

"Clearly, this information disclosure isn’t ideal. The ability to find out the account holder and contact details behind any Three phone number could come in handy for social engineering attacks, stalking, or spamming."

Redfern says attackers could brute force British phone numbers and scrape the Three API to compile a database of customers.

"I’d consider it a fairly severe breach of privacy," he says.

Three did not appear to use the personal information for any obvious part of its survey, according to Redfern.

He says the telco did not respond to his request to be informed when the privacy hole was closed. ®


Other stories you might like

  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading
  • Feeling highly stressed about your job? You must be a CISO
    'The attack surface has expanded exponentially' during the work-from-home pandemic, says one

    Almost all cybersecurity professionals are stressed, and nearly half (46 percent) have considered leaving the industry altogether, according to a DeepInstinct survey.

    For its annual Voice of SecOps Report, the endpoint security biz commissioned a poll of 1,000 senior-level security professionals in the US, UK, Germany and France.

    It found that although 91 percent of those surveyed experience at least a low-degree of work-related stress, and almost half (46 percent) of those professionals claimed their stress levels had risen over the past 12 months, their root causes differed based on their jobs. While six percent of all professionals claim to be "highly stressed" due to their work, among CISOs, ITOs, CTOs and global IT strategy directors, the number climbs to 33 percent.

    Continue reading
  • US cyber chiefs: Moving to Shields Down isn't gonna happen
    Promises new alert notices but warn 'we can sometimes predict thunderstorms but not lightning strikes'

    RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.

    "There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal. 

    "Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading

Biting the hand that feeds IT © 1998–2022