All that was needed was their phone number. The database was wide open and miscreants jumped on it fast. A port of Reddit said it all.
Everybody who knows your HelloMobile number can get following info about you:
- First and Last Name
- Home address
- History of your phone calls (from/to)
- History of your text messages (from/to)
- HelloMobile account number (used for porting)
Last time I informed HelloMobile and app developer about this bug in February 2021 but as of 04/05/2021 it is not fixed yet.
Attacker just needs to install this app on any android phone (without HelloMobile SIM, even without SIM at all), to enter HM number into input field and that’s all. No password asked.