Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

MetroPCS payment site bug left millions at risk

A pair of security researchers discovered a bug on the MetroPCS payment website that left the personal information of more than 10 million subscribers exposed.

An attacker could access a user's name, address, phone model and serial number, and monthly rate, by using a Firefox plugin to send an HTTP request to the MetroPCS website using the customer's number, according to a report in Vice's Motherboard.

Eric Taylor and Blake Welsh made the discovery. Taylor told Motherboard that an attacker could use the vulnerable data on the MetroPCS site to carry out social engineering attacks, such as calling the provider's customer service to gather more information on a victim or using the data to gain unauthorized access into other accounts.

It may have also been possible for an attacker to “clone” a victim's phone to intercept their calls or even create a script that could be used to obtain the information of every MetroPCS subscriber, the report said.

The researchers reported the vulnerability to Motherboard in mid October although the story was held until the bug was patched in order to protect customer data.

There is reportedly no evidence that any customer information was compromised. attempted to contact T-Mobile, MetroPCS's parent company, but they have yet to comment.

In October, a breach at T-Mobile vendor Experian exposed the personally identifiable information of about 15 million customers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.