A mobile operator allowed anyone with the phone number of one of its customers to access their personal information, including name, address, phone number, and call and text history, according to a report by Ars Technica. The operator, Q Link Wireless, claimed to have more than two million customers in 2019.
Ars Technica pointed to a Reddit post that said the app used by the operator and its subsidiary Hello Mobile never asked for a password or any identifying information when the user was logging in with a phone number. In reviewing the reviews, there are references to bad security practices (to put it mildly) dating back to December 2020. While it is unclear when the login system without credentials appeared, there is an update note from two ago years that mentions an “Updated Login Process”.
The operator reportedly fixed the issue, although it appears that it may have done so simply by disabling app logins entirely. Before the change Ars was able to see, but not change, a large amount of information from a Hello Mobile customer who volunteered their phone number, including their name, address, account number, email address, and the numbers they had contacted or with whom they had contacted. The latter is probably the most sensitive – while the content of text messages or phone calls was not displayed, there is still a lot of information to be gained by knowing who you spoke to and when you spoke to them.
The app’s description mentions that it allows users to add more minutes or data to their plans, but it’s unclear if that required additional authentication. Regardless, there is still a ton of information available to anyone who can get the phone number of one of Q Link Wireless customers. Q Link Wireless has reportedly failed to notify its customers that their information has been accessible, which appears to be a worrying trend among companies leaking user data.
Ars It found no evidence that the security vulnerability was widely exploited, but having to worry about others having access to a ton of your sensitive data is not something anyone needs.
Q Link Wireless did not immediately respond to a request for comment.