Three, a major mobile phone network in the UK, accidentally revealed user data through a security flaw on one of its websites, The Register reports.
Security researcher Joseph Redfern found that entering any phone number into Three’s survey site would expose the name and email address of the person it belongs to — meaning you could input a stranger’s number and their contact details would be revealed.
The weird part about the security flaw is that the personal data wasn’t actually used on the survey site once it was loaded on the web page.
Redfern says he informed Three customer support about the vulnerability, but never heard anything else from them. The next thing Redfern knew, the site had been taken offline, and Three’s survey API was removed.
We reached out to Three for comment on this story.
Below is a video that Redfern made to explain the vulnerability:
The Three vulnerability is similar to a problem that Uber ran into earlier this week. It created a petition microsite that allowed respondents to enter special characters (like # or <), and a security researcher used that vulnerability to enter computer code into the petition that forced it to display an ad for rival company Lyft.