Customer data leakage

Juamei
Investigator
Investigator

‎11-09-2021 04:28 PM

Hey,

You are exposing customer names and numbers to other customers by accident. Looks to be a cached call, possibly via a cdn. Try to add another phone to your account (Android on Chrome on the ee website). There is a bit of text at the top which should say the logged in customer and name but instead may say another customers. My name is neither Elena or Haider but as you can see in the attached screenshots, that's what the website said...

Screenshot_20210911-161119~2.png

I'mScreenshot_20210911-154013~2.png

I'm a senior sw engineering manager for a digital agency, I've seen this class of bug a few times. You need to make the call with unique parameters or (better) whitelist it on the cache.

0 Helpful
8 REPLIES 8
Chris_B
EE Community Star
EE Community Star

‎11-09-2021 04:47 PM

@Juamei  You need to report this to customer services not post it on a public forum. If there is some sort of breach your showing the whole world. 

To contact EE Customer Services dial 150 From your EE mobile or 0800 956 6000 from any other phone.
0 Helpful
Juamei
Investigator
Investigator
In response to Chris_B

‎11-09-2021 04:50 PM

Well I asked on Twitter and was ignored and pointed it out on webchat but was told I had made a mistake. Do neither of those go to customer services? 

0 Helpful
Landerz44
Explorer

‎11-09-2021 04:51 PM

I have experienced this too. Huge data protection issue for EE yet when I informed them the response I got is they are aware of the issue. That was all. 

0 Helpful
Juamei
Investigator
Investigator
In response to Landerz44

‎11-09-2021 05:00 PM

That's not great. When did you inform them? Disabling the functionality wouldn't be hard, couple of hours max plus testing and deployment time. 

0 Helpful
Landerz44
Explorer
In response to Juamei

‎11-09-2021 05:03 PM

I called them an hour ago roughly. They spieled out some technical things and said their aware of the issue. I do not think EE realise the impact of a data breach. 

Juamei
Investigator
Investigator
In response to Landerz44

‎11-09-2021 05:19 PM

My wife has a separate ee account and just managed to get my name and number!!

0 Helpful
Juamei
Investigator
Investigator
In response to Juamei

‎11-09-2021 05:45 PM

Reported as a data breach via customer services. Will delete this thread when happy it's being actioned.

0 Helpful
XRaySpeX
EE Community Star
EE Community Star
In response to Juamei

‎11-09-2021 09:45 PM

You can't delete threads. You may select a post as a Solution if you like.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Mobile Phone & Mobile Broadband or Option 2 for Home Broadband & Home Phone

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP
0 Helpful