Three UK does it again: Random folk on network website are still seeing others' account data British telco Three UK has once again let random people viewing its homepage view its customers' account details as if they were logged in, exposing personal and billing data to casual browsing. Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three's website, they …
Also note from the article that you didn't have to log in to see someone else's details. So there could be non-customers who could see customer details. And some of those non-customers could have reported it too.
Of course they find the smallest number they can and carefully word the press release to say only that number.
"It's hard to imagine a security breach so specific that it only affects "fewer that 10" users. Perhaps the significant word here is "reported" - everybody was affected, but only 9 reported it."
That is for sure, but the lesson, here, is, for security issues, you can really get away with the most brain insulting bollocks.
El Reg apparently didn't believe this, but the mainstream is gonna buy into it.
I bumped into this exact issue on the evening of their (last) large outage on the 16th Oct and commented about it in the https://forums.theregister.co.uk/forum/all/2019/10/17/three_uk_down_outage_not_working_borked_parrot_dead_ceased_to_be/ article (comment #75-ish, reproduced below) - despite copying in the ICO, providing an image of someone else's bill and chasing numerous Three numerous times via Twitter, I've have absolutely zero response... Good to see they're taking responsibility...
"In other TITSUP news...
The network issues are annoying granted, but possibly not as important as being directly logged into someone else account when hitting the My3 URL last night at about 19.50 and being able to browse all their call logs/billing details.
Appears remarkably reminiscent of: https://www.theregister.co.uk/2017/03/21/three_admits_to_data_breach/
So far, no response as of yet on Twitter from Three Support on that one..."
"I bumped into this exact issue on the evening of their (last) large outage on the 16th Oct and commented about it in the https://forums.theregister.co.uk/forum/all/2019/10/17/three_uk_down_outage_not_working_borked_parrot_dead_ceased_to_be/ article (comment #75-ish, reproduced below) - despite copying in the ICO, providing an image of someone else's bill and chasing numerous Three numerous times via Twitter, I've have absolutely zero response... Good to see they're taking responsibility..."
The ICO are not well resourced. I've direct contact with some of their staff and it can still take 3 days to get a reply for serious issues. The ICO doesn't currently get to keep the fines it issues. So that £160M it handed out to BA will go the the treasury not to the ICO.
Although a customer I never really bother with Three's website or billing system but thought I would login to see if I'm affected by this latest bug.
It does seem to show my own details rather than someone else's but still not a lot of use. "Your next bill will be ready on 13 Aug 2019 (83 days ago)" ???
One our accounts also has the problem of receiving incorrect low or out of data messages which has been going on for what seems like years. The same account also showed nonsense on the website for billing cycle data not used etc.
By coincidence I lost patience just yesterday and used live chat to complain. Magically a mere 45 mins later the website was fixed and hopefully the stupid messages will stop now. Time will tell.
To be fair to 3 billing has always been correct and despite the messages data flowed as normal.
This post has been deleted by its author
If your phone is connected via mobile data and not WiFi, and you use the Three app, it automatically logs you into your account based on some aspect of the SIM information. Clicking through to (for instance) itemised bills bounces you to a web browser, but again automatically logs in to the My3 part of the website - no username or password required.
Likelihood of that first step there (auto identification) being borked at times?
Interesting thought, that would mean their RAN (Radio Access Network) check for unauthenticated journeys is... Well mildly borked by the sound of things and isn't correctly connecting the customers details. On top of allowing more access than should ever be allowed without putting at least a password in.
I wonder if the mobile numbers involved have been ported from a different network onto 3 (since there's other databases involved in tracking who looks after which number rather than the block number range to each opperater like in the early days).
Anon because I work for a rival company and schadenfreude can be a bitch when it comes back around.
Ok this is now damning. There are two my3 logins. https://www.three.co.uk/New_My3/My3_Home which keeps rotating user accounts and https://www.three.co.uk/My3Account2018/My3Login which correctly asks for user login and password. The first being broken should have been disabled.
And yes it's still exposing user details. I know I'm old and crusty but has the art of diagnostics been lost forever?
At some time in the future there will be a new category to measure company performance Good, Average, Poor. Bad and Three
Firstly, that "fewer than 10" comment is hilarious, that's just indicative of the amount of people who just happened to access the Three website using someone elses hotspot AND bothered to report it.
I set up Three wireless broadband for my ex, and although on good terms, there's physical distance between us, so when I get questions about it being down etc, two things have struck me as being strange practice. Firstly, you can only reset a MyThree password if you have access to the sim card, which presumes said sim card is in a phone and able to receive messages? Secondly, and more ironically relevant given this story, you can only access the Three mobile app when connected to your (although I'm now presuming any) Three connection. Want to check your bills etc out of home, forget about it. The set-up seems oddly backwards.
Now completley unrealated to the article, and rant incoming...
Reading this article I thought i'd log in and check my three account..you know just out of Curiosity.
I noticed I had a £3 charge that was outside of my normal fees...Looking in to it I'd been charged for receving a text message!!! I had a look at the text message in question and it reads "To get our short simple tasty cooking recipes and enjoy hassle free cooking visit http://my.recipefind.co.uk". I had just ignored it as spam, but had been charged £3 to just receive it...the number it came from was 65144.
Just phoned up 3 who have refunded the cost and blocked future paid messages..... Thank you el-reg without you I probably wouldn't have noticed it. I would never have imagined you could be charged for receiving spam.... Sorry folks rant over
...people that are dicking around with NordVPN on their network, I'm sure of it. It regularly fails to work on the Three network so I switch to WIFI to test. Works fine on the WIFI then flip back to Three and isn't working again once connected to Nord's servers. Disconnect from Nord, network traffic on Three works again. Connect to Nord a while later on Three, all works. Getting fucking annoying now.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
