How I caught and reported a vital bug that exposes GLO customer MSISDN(Mobile No.) to the third party?

Summary

Issue: GLO customer's mobile number is exposed to third party applications while browsing the internet.

Date reported: June-8-2020

Date fixed: August-11-2020

Priority: Internal classification not known to me

Classification: Validated and Resolved by GLO

OS: Android, iOS, Window, and Linux(Didn't check with Mac)

Protocol(s) : https & HTTP

My approach :

I always enjoy building API within my reach instead of relying on third party resources, and that led me into writing an API to capture user's information who access my web app(ww.scholarsinislam.com).

June-7-2020, I requested a friend to help review my project and that led me into checking his device information and was able to figure out that my friend access my web app using the GLO network and his mobile number was exposed to my web app without his consent(while he was thinking, I'm just browsing).

Wasting no time.
I quickly raised it on Twitter[ https://twitter.com/AmudaAdeolu/with_replies](my second tweet and third time logging into twitter).
Was contacted by GLO, following was a series of tests between me and their technical team.
GLO management/engineers appear good, friendly and smart and they were able to fix it on August-11-2020(Ceteris Paribus)

Lesson learned

1. Be yourself, and don't do what others are doing without knowing why and what lead them into such.
Do you what love and love what you do.

2. As a Software engineer or developer, don't be lazy and be completely dependent on using third party API that is within your reach, rather build things from scratch, own it, and keep making it better(That may not be advisable for some projects).
If I had used Google Analytics or related tool to track my user activities, such bug will never be revealed to me
, and various organizations will keep mining and spying on millions of GLO customer's information without their consent.

3. Computer science fundamentals make real software engineer/products.
Stick to it and don't be a master of X or Y framework without it.

Useful resources
1.MSISDN :
https://citizenlab.ca/2015/05/the-many-identifiers-in-our-pocket-a-primer-on-mobile-privacy-and-security/
https://ntnuopen.ntnu.no/ntnu-xmlui/bitstream/handle/11250/2459497/17622_FULLTEXT.pdf?sequence=1&isAllowed=y

2.HTTP HEADERS
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#:~:text=HTTP%20headers%20let%20the%20client,before%20the%20value%20is%20ignored.

Good, commendable

Cool

For free?
They couldn't even offer you a job sef..



Lalasticlala sef!

This is cool. This is the kind of person I love having around me.

Your modesty is noteworthy.
I also hope GLO reciprocated in an equally worthy manner. (Please, don't accept recharge cards)

Thumbs up

unclemaths:
Your modesty is noteworthy.
I also hope GLO reciprocated in an equally worthy manner. (Please, don't accept recharge cards)

Compensation : Text
Compensation content : Good day, We thank you and appreciate your contribution . We always cherish brilliant minds like yourself , whenever situations permits in the near future ,such brilliant minds like yourself will always be acknowledge in line with laid down process. Thank you. DA

https://twitter.com/GloCare/status/1297901003031941120

[quote author=takeitsimple post=93183865][/quote]


Let's see how it goes...
Hope it doesn't end on there tweet...





Speaking from experience

This is beautiful.

We have sound and smart minds in this country.

But they did a bad PR for their company. A smart company should take you on board immediately...some banks and firms have leveraged on simple act of publicity that wouldn't even give them so much and the persons involved are handsomely appreciated.

Another telecom company may snap you up, soon! Keep up the good works!

takeitsimple:



Compensation : Text
Compensation content : Good day, We thank you and appreciate your contribution . We always cherish brilliant minds like yourself , whenever situations permits in the near future ,such brilliant minds like yourself will always be acknowledge in line with laid down process. Thank you. DA

https://twitter.com/GloCare/status/1297901003031941120

May heavens reward you, OP.
What an appreciative spirit from our people?!

nice one boss