Q Link Wireless, a provider of low-cost cell phone and data services to 2 million U.S. customers, has made sensitive account information available to anyone who knows a valid phone number on the provider’s network, an analysis of the company’s account management app shows.
Dania, Florida-based Q Link Wireless is what’s known as a Mobile Virtual Network Operator, meaning it doesn’t operate its own wireless network, but rather buys services in bulk from other providers and resells them. It provides government-subsidized telephones and service to low-income consumers through the FCC’s Lifeline program. It also offers a range of low-cost service plans through the Hello Mobile brand. In 2019, Q Link Wireless said it had 2 million customers.
The carrier offers an app called My Mobile Account (for both iOS and Android) that customers can use to check text and minute history, data and minute usage, or to purchase additional minutes or data. The app also shows the following from the customer:
- First name and surname
- home address
- Phone history (from/to)
- Text message history (from/to)
- Phone company account number needed for transfer
- E-mail address
- Last four digits of the corresponding payment card
Screenshots of the iOS version look like this:
No password required. † † what?
Since at least December and possibly much earlier, My Mobile Account will display this information for any customer account when presented with a valid Q Link Wireless phone number. That’s right – no password or anything else required.
When I first saw a Reddit thread about the app, I definitely thought there was some kind of bug. So I installed the app, got permission from another thread reader and entered his phone number. I immediately checked his personal information, as the redacted images above demonstrate.
The person who started the Reddit thread said in an email that he first reported this glaring uncertainty to Q Link Wireless sometime last year. Emails he provided indicate that he has reported support twice again this year, first in February and again this month.
Feedback left in reviews for both the iOS and Android offerings also reported this issue, in several cases with a response from a Q Link Wireless representative thanking the person for the feedback.
Data exposure is serious because phone numbers are so easy to find. We give them to potential employers, auto mechanics, and other strangers. And, of course, phone numbers are easily available to private investigators, abusive husbands, stalkers, and other people with an interest in a particular person. Q Link Wireless’ making customer data freely available to anyone who knows a customer’s phone number is an act of gross negligence.
I started emailing the carrier on Wednesday about the uncertainty and followed with nearly a dozen other messages. Q Link Wireless CEO and founder Issa Asad did not respond despite my comment that every hour he allowed data exposure to continue increased the risk to his customers.
Then late Thursday, My Mobile Account stopped connecting to customers’ accounts. When presented with a Q Link Wireless customer’s number, the app responds with a message that reads, “Phone number does not match an account.” The iOS and Android versions of the app were last updated in February, suggesting that the fix is the result of a change Q Link Wireless made to a server.
Although My Mobile Account displayed personal information of customers, it did not provide an opportunity to change that information. The app also did not display any passwords. That means a person wouldn’t be able to exploit this leak to perform a SIM swap or lock users out of their accounts, although the exposure could make it easier for a potential SIM swapper to get a Q Link Wireless. social engineer employee to port a number to a new phone.
There is, in one way or another, no indication that this leakage has been actively exploited. Investigators from security firm Intel471 haven’t found any discussion of the available data in criminal forums, but there’s no way to know if it’s been misused on a smaller scale, such as by someone who knows or interacted with a Q Link Wireless customer.
As phone users seeking low-cost, no-frills mobile services, Q Link customers are part of a population that is least able to afford data breach services and other privacy services. The carrier has yet to notify customers of the data exposure. People using the service should note that all data displayed by the app is available to anyone who has their phone number.