A glitch in T-Mobile’s website allowed anyone to look up customer details including full names, postal addresses, billing account numbers, and in some cases information about tax identification numbers.
The data also included information on whether or not a bill is past-due, if the customer had their service suspended, and references to account PINs which could allow anyone to use that information to hijack accounts by entering it to answer the security question used to contact phone support, according to ZDNet.
The vulnerability was discovered by security researcher Ryan Stevenson and was the result of an unprotected API on the subdomain, promotool.t-mobile.com, used by T-Mobile staff to look up account details.
Stevenson reported the flaw in early April and Stevenson and was later awarded $1,000 in a bug bounty after the temporarily taken offline a day while the vulnerability was patched.
“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” a T-Mobile spokesperson told ZDNet.
The incident is a big deal for the T-Mobile customers since cell phones are often critical in protecting accounts and preventing compromises, Ben Johnson, CTO and co-founder of Obsidian Security, told SC Media.
“Customers should be outraged at the recent T-Mobile security lapses. Mobile phones are often critical to protecting accounts and preventing compromise, as multi-factor authentication or phone verification are common-place to help mitigate damage done by digital identity theft,” Johnson said. “Mistakes like this could allow adversaries to take over the phone number of the IT administrator at your business, or take over a number to further cloak their actions around wire transfers out of your account.”
Johnson went on to add that we need to hold mobile providers to a higher standard.