Personal Data Of Millions Exposed In Cell Phone Carrier’s Wide Open Mobile App
Information scraping campaigns are becoming more prevalent, it seems, with LinkedIn recently losing data for 500m million users. Facebook also faced a similar issue with its phone contact search feature, which allowed malicious parties to collect over 500 million users' information. Another company, called Q Link Wireless, could be facing the same issue due to a misconfigured or poorly designed mobile app that could have leaked sensitive data. Perhaps it is time to take a hard look at what data is public and how users can access it.
Q Link Wireless is a low-cost mobile provider that also works with the FCC on the Lifeline program to provide free cell phone service to low-income households. They claim to provide services to tens of millions of low-income Americans outside of the customers who use the low-cost "Hello Mobile" program, meaning this company holds a plethora of data. Thus, it would not be good if anyone could search for it.
According to a Reddit post, anyone could do just that, provided they know a valid Q Link Number. Q Link provides a mobile account management app for its low-cost "Hello Mobile" brand that allows users to keep tabs on data usage, plan info, and other details. The problem occurs with the sheer lack of security this app has, as all you need to do to see an account is plug in a phone number. Then, anyone can have easy access to a user's full name, address, phone call history, text message history (from/to), email, and account number, which is a massive privacy issue.
The Reddit user reports that they informed the developer of the issue in February, but it still has not been fixed as of April 9th. Besides this one user, however, people are leaving reviews explaining that there is a security issue and the company is responding, which makes this ordeal simple negligence. Then, on April 9th, the company seemed to have performed a server-side change that disabled the app for all users. This is less of a fix and more of a Flex Tape fix on the Titanic, and a fair amount of data could have been extracted by now.
If you or someone you know is a Q Link Wireless customer, either through the Lifeline program or the low-cost mobile service, perhaps you should reach out to the company to verify your data's integrity. This is quite concerning considering data scraping issues are repeatedly happening now, but let us know what you think of this all in the comments below.