Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

[MacRumors]

A security vulnerability in T-Mobile's website let anyone gain access to the personal details of any T-Mobile customer using just a phone number, reports ZDNet.

An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address. Data that was available included full name, address, billing account number, and for some customers, tax identification numbers.

Account data, such as service status and billing status was also included, but it does not appear that credit card numbers, passwords, or other sensitive information was compromised. ZDNet says that there were "references to account PINs used by customers as a security question" which could be used to hijack T-Mobile accounts.

The API was used by T-Mobile staff to look up customer data, but it was accessible to the public and not protected by a password. T-Mobile rectified the issue in early April after it was disclosed by security researcher Ryan Stevenson, who ultimately earned $1,000.

In a statement provided to ZDNet, T-Mobile says that it does not appear customer data was accessed using the API, but research suggests the API had been exposed since at least October 2017.

A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure." "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

This is not the first unprotected API issue that T-Mobile has faced. Last year, a similar bug also exposed customer data to hackers.

T-Mobile has more than 74 million customers, and had this most recent bug been exploited, a simple script could have provided hackers with access to data on millions of people.

Article Link: Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

 

[FlipPhony]

#uncarrier #unsafe #uncool

 

[Analog Kid]

Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...

 

[justperry]

#uncarrier #unsafe #uncool

Doesn't that apply to most big providers in the USA.
The other big ones have their own "issues".

 

[kanki1985]

No customer data has been compromised.. Untill the big investigation and then class action lawsuits.. these are soo predictable!!

 

[profets]

Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL

 

[sniffies]

Cheap carrier, cheap bounties

 

[Jaspio]

An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address.

Any T-Mobile worldwide number or just US customers?

 

[PlainviewX]

Only $1000 for a catastrophic possible breach discovery? That's like getting paid $45 in a contest that was used as the Mets logo.

 

[dhess34]

Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.

 

[Jaspio]

Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL

View attachment 762864

LOL never let a glorified marketing drone talk technology. They can only embarrass their company and expose it to malpractice suits.

 

[Mr. Heckles]

Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...

I agree. Didn’t California have a law that was in the works? I can’t remeber what State, but these companies need to be hit and hit hard for their foolishness.

 

[brinary001]

Damn. Glad I switched to AT&T recently

 

[hlfway2anywhere]

Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL

View attachment 762864

yikes. That's a completely separate company though.

 

[ersan191]

Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL

View attachment 762864

Man, Austria has a much different approach to customer service than the rest of the world lol

 

[C DM]

Man, Australia has a much different approach to customer service than the rest of the world lol

Austria?

 

[profets]

yikes. That's a completely separate company though.

Yeah, that’s true.

I almost wondered if those tweets about how good their security is resulted in some people taking it as a challenge to find something.

 

[Braderunner]

Oooooh, so that's what "Uncarrier" means.

 

[danielchow]

Groan. Sloppy programming.
[doublepost=1527194973][/doublepost]

Only $1000 for a catastrophic possible breach discovery? That's like getting paid $45 in a contest that was used as the Mets logo.

What I thought too: that’s it???

 

[Wags]

Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...

But, the new FCC is pro carriers and has said the carriers really have to do about the minimum effort.

 

[Tech198]

Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...

..and what better sending them a reward ...

 

[B4U]

Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL

View attachment 762864

Wow, that is some customer representative there...

 

[FelixDerKater]

I'll gladly stick with Verizon.

 

[definitive]

For all the "uncarrier" stuff that T-Mobile has been pushing for the past few years (which they've already rolled back a lot of), they sure seem to ignore their security.

They screwed a lot of their customers over in the past when they used Experian to run credit checks, knowing full well that their servers might not be secure, but still went along with it. The result? Experian gets hacked, and customers' personal info gets stolen. Then they started asking people to set support line passwords like a month or two ago after scammers were hijjacking people's lines in order to get into bank accounts, and now this.

In the end, they quickly sweep this stuff under the rug, and carry on with business as usual.

 

[ersan191]

Austria?

autocomplete got me.