Three Information Disclosure Vulnerability

A few weeks ago, I got an email from Three asking me to fill out a survey for them, rating my satisfaction with their services. They offered “the chance to win an iPad”, so I decided I’d fill in the survey to provide some feedback (I’m generally a fairly satisfied customer).

The link opened in my default web browser (Firefox), which happened to be linked up to Burp – after filling and submitting the survey, I was able to view the requests and responses that Firefox had made during the process. After looking at these requests, I noticed something quite worrying.

The site (https://www.threemicrosites.co.uk/survey/, now closed) was making an AJAX request to an API (http://www.threemicrosites.co.uk/api/getuser/p/44xxxxxxxxxx/, where xxxxxxxxxx is the 3 phone number). The request was made over cleartext HTTP, passing my mobile phone number in the URL. The response included my 3 account number, my full name, my email address and some other account identifier. I confirmed that this was the case for other numbers by entering a friends phone number (with their permission) – sure enough, their name and contact details were presented to me.  Information from the API was presented in the following form, as JSON:

{"success":true,"id":"813xxx","user_id":"9555xxxxxx","phone":"447598xxxxxx","email":"xxxxxx@yyyyy.zzz","title":"Mr","name":"Joseph","surname":"Redfern","email_vs_sms":"xxx","timestamp":"2015-05-xx xx:xx:xx"}

Clearly, this information disclosure isn’t ideal. The ability to find out the account holder and contact details behind ANY 3 phone number could come in handy for social engineering attacks, stalking, spamming etc. It would also be possible to scrape the API and build up a database of 3 customers by brute-forcing the API using H3G Number Prefixes, which can be found here – such a database could be very valuable to Three’s competitors,  marketing companies etc. I’d consider it a fairly severe breach of privacy.

The bizarre thing is that the survey didn’t appear to use any of the information returned by the API – the thank you page had no reference of my name, email address or account number.

I reported the issue to Three customer support, and requested that I be notified once their security team had acknowledged the issue. Customer Support said that they’d pass the request on, but that they couldn’t promise anything – sadly, they didn’t bother to get back to me (and I didn’t even win their competition!). The survey has now been taken down, along with the offending API. I can’t be sure if this was in response to these issues, or if the closure was planned – but either way, this no longer seems to be a problem.

Video Demo: