O2 UK's Weird MSISDN Lookup API


It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number.

I put in a random number, and it refused to let me in.

Sorry, we don’t recognise this number. Please try again.

Putting in a genuine O2 number let me through. So what is it doing to validate numbers?

It is making an API call to this URl:

https://www.o2.co.uk/o/customer/mods/lookup/447700900123

After a bit of testing, this is how I think it works.

If you give it an O2 phone number, it replies with:

JSON JSON{"type":"ONE"}

If you give it a number which isn't on O2, it gives:

JSON JSON{"type":"ZERO"}

A number it doesn't recognise gives:

JSON JSON{"message":"Unable to find the requested resource."}

A malformed or incomplete phone number gives:

JSON JSON{"message":"Something's wrong. Please try again later."}

Responsible Disclosure?

As far as I can tell, O2 no longer have a Bug Bounty or Responsible Disclosure offering. So I'm publishing it here to let people know.

It is possible that someone could use this API to disclose a (minor) piece of personal information about you - namely whether your phone number is on O2 or not. I don't think that's particularly sensitive, but it is probably worth knowing.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

7 thoughts on “O2 UK's Weird MSISDN Lookup API”

  1. Mike says:

    I wonder what it would return for a number which was allocated to O2 (or (BT) Cellnet) but has since been ported.

    https://www.telecom-tariffs.co.uk/codelook.htm tells me the network my number was allocated to, (as can other websites, it is apparently public via Ofcom but I’ve not looked for the source), but I’ve ported it since. That website also gives me charging information which is different to the network the number was allocated to, but also wrong in a way which makes me wonder if it’s wrong because it has out of date information or for some other reason.

    Reply
  2. said on mastodon.energy:

    @joshbal4 @Edent Yes, and the related phishing / identity-theft fraud calls - a friend's next door neighbour was recently victim of one of these re Vodafone UK: "we've just sent you an authorisation number in a text message - please could you read that out to me to confirm you're the account holder" - at that point they used the auth code which they'd requested from Vodafone to change the users' email address, and then went on to apply for various loans and other credit in his name.

    Reply | Reply to original comment on mastodon.energy
    1. Mike says:

      Maybe it’s ONE customer found or ZERO customer found. Maybe there are circumstances it could return TWO, or even THREE! Perhaps an integer is put though something like Python’s num2words. 😀

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">