Why is there “no password required” when accessing accounts? What not to do when setting up accounts for services

I’ve been contemplating this article Michael in Tennessee sent me in regards to a wireless company that thought it would be a great idea to have applications for IOS and Android that allowed people to put in any phone number of a customer and allowing anyone to have full read access to all of the data of the account.

When writing up the news notes, I wrote:

Finally, in the “I can’t believe i heard this article” department, Michael in Tennessee read this article via arstechnica which really started me thinking about this company’s security posture. The company’s name is Q Link Wireless. They apparently had an app that allowed you to enter any customer telephone number which you had to know. After doing this within their application for IOS and Android, the person could see anything they wanted within the account with “no password required.” According to the article, this company known as a “Mobile Virtual Network Operator,” according to the article. They are based in the state of Florida. It provides government and subsidized phones to people who qualify under the lifeline program. They apparently serve at least 2 million customers, according to the article. I suggest you check jaredtech.help as I have a bunch more to say in regards to this story, suffice it to say, they apparently closed this hole by doing it server-side and no communication with any researcher or anyone who reported this to the company.

The sub-titled of today’s article is entitled: “Q Link Wireless made data available to anyone who knows a customer’s phone number.” and I suppose it just fits, doesn’t it?

The article was written for Arstechnica on April 9th, and sadly the last item for news notes. People aught to be ashamed of themselves at this company for thinking this was a great idea.

Q link offers a mobile app called “my mobile account” for both IOS and Android as stated in the notations quoted above as well as within the article which I’ll link here as well.

Besides the app allowing you to see data usage, minutes available, buying minutes, minute usage, text usage and even to buy more minutes or data. It also can display the customer’s:

  • First and last name
  • Home address
  • Phone call history (from/to)
  • Text message history (from/to)
  • Phone carrier account number needed for porting
  • Email address
  • Last four digits of the associated payment card

This is a lot of data for one account, especially when the company had it to where anyone can enter a subscriber’s phone number. Can you imagine what would happen when someone malicious came in and decided that they would take a look around?

According to the article, this wide open access has been available since December of last year, but the article only states since December.

According to a person on reddit, they reported this glaring report to the company with only a “thank you for reporting this to us.” He later reported the same issue twice this year, February and also in April. Then this past thurdday, the app stopped connecting to accounts with a message that says that the number is invalid.

I wonder what they ended up doing? Why did it take this long to fix it? Why didn’t the CEO respond to the reporter’s email(s) when it was braught to his attention?

For the complete write up by DAN GOODIN of Ars, please read: No password required: Mobile carrier exposes data for millions of accounts: Q Link Wireless made data available to anyone who knows a customer’s phone number. for complete details. This is security at its worst. Good job, q link wireless, keep up the great work.


Discover more from The Technology blog and podcast

Subscribe to get the latest posts sent to your email.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.