December 20, 2007

Details of Unlisted Number Address "Exploit" Revealed

Update Bulletin (December 21, 2007 1740 PST): Acceller Promises to Close Unlisted Number Address Exploit

Greetings. After due consideration, some expert advice, and since the firm involved obviously feels that they're not doing anything wrong (will everyone else agree?), I've decided to release the details of the unlisted number to address lookup "exploit" I outlined in Psst! Wanna Know the Street Address for an Unlisted Number? -- please see that entry for the background on this situation. This "exploit" is still up and running as of a few minutes ago.

As noted previously, this technique is extremely successful at revealing the street addresses for U.S. landline (non-mobile) telephone numbers, including those aforementioned unlisted numbers. The returned information isn't 100% accurate for all queries and some numbers are missing -- I suspect stale data in certain situations -- but it's very "good" overall.

Also, the full text of a response I received from the company's (apparent) public relations firm is available for your perusal and amusement.

Calling this procedure an "exploit" is actually a misnomer as you'll see, since it's simple and direct to access once you know where it lives -- and even that is unfortunately relatively obvious, so it seems very likely that it's already being used for "unintended" purposes. My hope is that broader knowledge of this matter may lead to a more rapid resolution of the situation, since the firm chose not to limit this data after I called their attention to the privacy issues involved.

As you probably know, various large cable television and other service firms (e.g. Time Warner, Comcast, etc.) offer an array of Web-based offers via their Web sites. The most typical means for a new customer to query these sites about available offers at their location is via their phone number.

And as it turns out, a major provider of back-end database and related operations provides various functional aspects of many related Web sites. Enter a phone number at the Time Warner offers site, for example, and it's likely to actually be processed by this back-end service (sometimes in a quite obvious manner).

It is also apparently possible to make similar queries via voice calls to a toll-free number at the back-end services firm's call center, but I have not explored the non-Web aspects of this operation in detail.

Rather than worry about the cable firms in this example (though we could go through their sites as well when they link to this company) we might as well go directly to the back-end operation that's providing the information, since their own site apparently gives access to exactly the same data. Here we go ...

The company under discussion is Acceller, Inc., and you can visit their services access page at:

In the upper right-hand corner of the page, you'll find a "Search For Offers" form where a phone number may be entered -- then click "Compare Offers Now" -- it's that simple. (Note: You may need to have cookies enabled for this to work, and Internet Explorer may perform better than other browsers in some cases for these queries.)

Enter a phone number, watch the bouncing ball for 10 seconds or so, and then you stand an excellent chance of seeing a street address revealed for U.S. non-mobile numbers (along with the various service offerings available at that address, of course).

The "geniuses" who programmed that site probably won't be getting any job offers from Google anytime soon.

The implementation error is serious and obvious. The proper procedure to avoid revealing private information about unlisted numbers would be to have the user enter their address -- not reveal it from the database based on phone number -- and then verify it yes or no against the database (even this suggested technique has some privacy issues, but they are relatively less serious and could be minimized in various ways). By taking the "helpful shortcut" of revealing the address, the system is putting at risk -- for free and unlimited access by anyone at any time -- the private address information for unlisted numbers.

I'm afraid that's really all there is to it. Simple, clean, and neat, to be sure. If you've been paying your local phone company every month for an unlisted number and are upset by this situation, I urge you to contact your telephone company, Acceller, and -- who knows? -- perhaps even your legislative representatives might be intrigued, among other persons and groups.

Unfortunately, this isn't the sort of Christmas present that most people probably would wish for. But it appears to be Acceller that's doing all of the ho-ho-hoing.


Update (December 21, 2007): As of 0900 PST this morning, the exploit is still up and running.

A few additional notes:

First, if the number you enter is not in the database, you may be asked to enter your address manually -- under normal conditions for numbers that are in the database this step will not take place and the address will be presented to you based solely on the phone number. It still appears that my earlier estimate -- that about 80% or so of landline numbers do show up with correct addresses in the database -- is pretty close to the mark, but as I pointed out above there are missing numbers, and inaccurate data for some numbers.

It's reported that persons who have their billing address set to a P.O. box may get that address returned rather than a street address, which seems logical enough.

Finally for now, I've had a report from someone who tested a number deep in an inbound-only rotary hunt group -- a number that would never have been listed of course -- and had the address come up correctly. This tends to point strongly toward the ILEC (phone company) as the data source in that case at least.


Update Bulletin (December 21, 2007 1740 PST): Acceller Promises to Close Unlisted Number Address Exploit

Posted by Lauren at December 20, 2007 04:10 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein