Requires me to login.

Edit: Confirmed. Pretty serious.

Yes only works if I am already logged into my account and then change the url

DeroyBoy:

 

Yes only works if I am already logged into my account and then change the url

I have confirmed it with several mobile numbers. Loads anyone with an active My Vodafone account. Pretty serious...

Indeed quite serious, Looks patched in some sections, broken in others.

I'd personally be pushing for my vodafone to go into maintenance mode straight away in the short term if i was on that side of the fence... 

Edit: 

further checks, seems only pure angler exposed sections of the site are abusable, the sections that do their own callout pickup on the issue and simply silently fail.

hio77:

 

Edit: 

 

further checks, seems only pure angler exposed sections of the site are abusable, the sections that do their own callout pickup on the issue and simply silently fail.

Didn't used to do that. I successfully updated some details through it (and confirmed this).

michaelmurfy:

 

 

 

Didn't used to do that. I successfully updated some details through it (and confirmed this).

 

Maybe it was CIRL related to load-balancing? i didn't really go much further than testing quickly, it is 12.45am afterall....

Otherwise; bits are fixed already which is great, but still concerning that it still exists elsewhere.

Retested:

Definitely is not working on jsloading objects.  (my number is blanked not the /targeted/ number)

hio77:

 

I'd personally be pushing for my vodafone to go into maintenance mode straight away in the short term if i was on that side of the fence... 

 

 

 

+10

Wouldn't take long to crawl a good chunk of the address space. This is how you end up on https://haveibeenpwned.com/PwnedWebsites#Vodafone

Or at the very least this afternoon's news 

I have hidden this thread to give Vodafone some time to work on a solution or interim workaround.

It seems the Profile page is currently being redirected back to the connections page (the list of phone numbers), which is not affected by this fault.

For those who think this isn't a big deal... While this page was spitting out other people's details someone could write a script to login as a valid user and simply go through a range of numbers. Should a response with valid data came back the data could be extracted and stored away. Data including name, email address and birth date could be used for identity theft, phishing scams, spam or more.

If you use a special email address for each service, someone could call you pretending to be from Vodafone and by saying that's your email address it could get your trust and ask for things like "We need your card number to confirm", etc.

There are lots of bad things that could happen from some customer data.

Nice to see these pages are now locked. Security and performance are features, not after thoughts. Whomever is developing/updating these pages should have a formal testing framework and have both these tenets in mind.

Vodafone might like to retain Kordia Security Services. I've found them excellent.