Q Link Wireless, a Florida-based MVNO for low-income consumers, exposed the personal data of its 2M customers to anyone who knew a number from the carrier — Q Link Wireless made data available to anyone who knows a customer’s phone number. — Q Link Wireless, a provider of low-cost mobile phone.
Millions of mobile accounts have been exposed without the need for passwords by a mobile carrier.
Anyone who had access to the phone number of a customer at Q Link Wireless had access to their data.
According to an analysis of Q Link Wireless’ account management app, sensitive account data is easily accessible to anyone with a valid phone number on the carrier’s network.
In essence, Q Link Wireless is a Mobile Virtual Network Operator, which means it does not operate its own wireless network but rather resells services it buys from other carriers. Through the FCC’s Lifeline Program, it gives low-income consumers government-subsidized phones. Through its Hello Mobile brand, it also offers low-cost plans. There were 2 million Q Link Wireless customers in 2019.
Customers can monitor their text and minutes histories, data and minute usage, and buy additional minutes or data using the My Mobile Account app (available for both iOS and Android). Additionally, the app displays:
- First and last name
- Home address
- Phone call history (from/to)
- Text message history (from/to)
- Phone carrier account number needed for porting
- Email address
- Last four digits of the associated payment card
Whenever a valid Q Link Wireless phone number is entered into the My Mobile Account application (if it is enabled), this information has been displayed for every customer account since at least December, and possibly much earlier. That’s right, you don’t even have to enter a password or anything else to get started.
I was in awe when I first saw a Reddit thread discussing the app and I thought for sure there must have been some kind of mistake. Then I installed the app, asked another thread reader for permission to use it, and entered his phone number into the app. According to the redacted images above, I was able to see his personal information immediately after clicking on the link.
According to the person who started the Reddit thread, in an email he sent to me, he had initially reported this glaring security flaw to Q Link Wireless at least one year ago. According to the emails he provided, he notified support twice in this year, the first time in February and the second time in June.
It was also noted in reviews left for both the iOS and Android versions that this issue also occurred, in several cases with a response from a Q Link Wireless representative thanking the person for their feedback.
Negligence at its worst
Data exposure is an issue that needs to be addressed since it is so easy to get hold of phone numbers. The information we collect from these forms is given to prospective employers, mechanics, and other strangers. In addition, it is easy for private detectives, abusive spouses, stalkers, and other people who are interested in a particular individual to obtain the phone number as well. This is nothing short of a downright negligent act on the part of Q Link Wireless to make customer data openly available to anyone who knows the number of a customer.
I emailed the carrier on Wednesday about the insecurity and followed up almost a dozen times. In spite of my point that every hour the data exposure continued, Q Link Wireless CEO Issa Asad did not respond.
Customers’ My Mobile Accounts stopped connecting late Thursday. Q Link Wireless’s app displays a message that “Phone number doesn’t match any account” when presented with a customer number. Q Link Wireless updated the app in February, suggesting the fix was caused by a server change.