O2 UK's Weird MSISDN Lookup API
By @edent
· CyberSecurity gdpr o2 privacy security · 7 comments · 250 words
It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number.
I put in a random number, and it refused to let me in.
Putting in a genuine O2 number let me through. So what is it doing to validate numbers?
It is making an API call to this URl:
https://www.o2.co.uk/o/customer/mods/lookup/447700900123
After a bit of testing, this is how I think it works.
If you give it an O2 phone number, it replies with:
JSON
{"type":"ONE"}
If you give it a number which isn't on O2, it gives:
{"type":"ZERO"}
A number it doesn't recognise gives:
{"message":"Unable to find the requested resource."}
A malformed or incomplete phone number gives:
{"message":"Something's wrong. Please try again later."}
Responsible Disclosure?
As far as I can tell, O2 no longer have a Bug Bounty or Responsible Disclosure offering. So I'm publishing it here to let people know.
It is possible that someone could use this API to disclose a (minor) piece of personal information about you - namely whether your phone number is on O2 or not. I don't think that's particularly sensitive, but it is probably worth knowing.
Mike says:
I wonder what it would return for a number which was allocated to O2 (or (BT) Cellnet) but has since been ported.
https://www.telecom-tariffs.co.uk/codelook.htm tells me the network my number was allocated to, (as can other websites, it is apparently public via Ofcom but I’ve not looked for the source), but I’ve ported it since. That website also gives me charging information which is different to the network the number was allocated to, but also wrong in a way which makes me wonder if it’s wrong because it has out of date information or for some other reason.
@Edent @tomh I tried my wife's number, which was issued by Orange, many years ago, but ported to O2 last year. It returns {"type":"ONE"}, seemingly confirming that O2 consider it theirs.
@Edent @tomh Additionally, if I give it my own number, which also was issued by Orange but is now ported to Three, I get "Unable to find the requested resource".
@joshbal4 @Edent Yes, and the related phishing / identity-theft fraud calls - a friend's next door neighbour was recently victim of one of these re Vodafone UK: "we've just sent you an authorisation number in a text message - please could you read that out to me to confirm you're the account holder" - at that point they used the auth code which they'd requested from Vodafone to change the users' email address, and then went on to apply for various loans and other credit in his name.
@Edent@mastodon.social also if you want to discover whether a customer is on O2, literally just use https://freecarrierlookup.com/
My number is registered to Virgin Media and it'll show up as an O2 number Welcome to FreeCarrierLookup.com
@Edent I’m just fascinated by the serious of decisions that led to a boolean getting encoded as “ONE” or “ZERO”
Mike says:
Maybe it’s ONE customer found or ZERO customer found. Maybe there are circumstances it could return TWO, or even THREE! Perhaps an integer is put though something like Python’s num2words. 😀
More comments on Mastodon.