For up-to-date information and comments, search the EE Community or start a new topic. |
11-09-2021 04:28 PM
Hey,
You are exposing customer names and numbers to other customers by accident. Looks to be a cached call, possibly via a cdn. Try to add another phone to your account (Android on Chrome on the ee website). There is a bit of text at the top which should say the logged in customer and name but instead may say another customers. My name is neither Elena or Haider but as you can see in the attached screenshots, that's what the website said...
I'm
I'm a senior sw engineering manager for a digital agency, I've seen this class of bug a few times. You need to make the call with unique parameters or (better) whitelist it on the cache.
11-09-2021 04:47 PM
@Juamei You need to report this to customer services not post it on a public forum. If there is some sort of breach your showing the whole world.
11-09-2021 04:50 PM
Well I asked on Twitter and was ignored and pointed it out on webchat but was told I had made a mistake. Do neither of those go to customer services?
11-09-2021 04:51 PM
I have experienced this too. Huge data protection issue for EE yet when I informed them the response I got is they are aware of the issue. That was all.
11-09-2021 05:00 PM
That's not great. When did you inform them? Disabling the functionality wouldn't be hard, couple of hours max plus testing and deployment time.
11-09-2021 05:03 PM
I called them an hour ago roughly. They spieled out some technical things and said their aware of the issue. I do not think EE realise the impact of a data breach.
11-09-2021 05:19 PM
My wife has a separate ee account and just managed to get my name and number!!
11-09-2021 05:45 PM
Reported as a data breach via customer services. Will delete this thread when happy it's being actioned.
11-09-2021 09:45 PM
You can't delete threads. You may select a post as a Solution if you like.