Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 24, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A security vulnerability in T-Mobile's website let anyone gain access to the personal details of any T-Mobile customer using just a phone number, reports ZDNet.

    An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address. Data that was available included full name, address, billing account number, and for some customers, tax identification numbers.

    [​IMG]

    Account data, such as service status and billing status was also included, but it does not appear that credit card numbers, passwords, or other sensitive information was compromised. ZDNet says that there were "references to account PINs used by customers as a security question" which could be used to hijack T-Mobile accounts.

    The API was used by T-Mobile staff to look up customer data, but it was accessible to the public and not protected by a password. T-Mobile rectified the issue in early April after it was disclosed by security researcher Ryan Stevenson, who ultimately earned $1,000.

    In a statement provided to ZDNet, T-Mobile says that it does not appear customer data was accessed using the API, but research suggests the API had been exposed since at least October 2017.
    This is not the first unprotected API issue that T-Mobile has faced. Last year, a similar bug also exposed customer data to hackers.

    T-Mobile has more than 74 million customers, and had this most recent bug been exploited, a simple script could have provided hackers with access to data on millions of people.

    Article Link: Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number
     
  2. FlipPhony macrumors newbie

    Joined:
    Sep 23, 2015
  3. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #3
    Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...
     
  4. justperry macrumors G3

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #4
    Doesn't that apply to most big providers in the USA.:rolleyes:
    The other big ones have their own "issues".
     
  5. kanki1985 macrumors newbie

    Joined:
    Oct 8, 2013
    #5
    No customer data has been compromised.. Untill the big investigation and then class action lawsuits.. these are soo predictable!!
     
  6. profets macrumors 68040

    Joined:
    Mar 18, 2009
    #6
  7. Goldfrapp macrumors 601

    Goldfrapp

    Joined:
    Jul 31, 2005
  8. Jaspio macrumors newbie

    Jaspio

    Joined:
    Dec 23, 2015
    Location:
    Nootdorp, Netherlands
    #8
    Any T-Mobile worldwide number or just US customers?
     
  9. UnionVGF macrumors 6502a

    UnionVGF

    Joined:
    Oct 4, 2013
    #9
    Only $1000 for a catastrophic possible breach discovery? That's like getting paid $45 in a contest that was used as the Mets logo.
     
  10. dhess34 macrumors newbie

    Joined:
    Feb 14, 2008
    #10
    Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.
     
  11. Jaspio macrumors newbie

    Jaspio

    Joined:
    Dec 23, 2015
    Location:
    Nootdorp, Netherlands
    #11
    LOL never let a glorified marketing drone talk technology. They can only embarrass their company and expose it to malpractice suits.
     
  12. Mr. Heckles macrumors regular

    Mr. Heckles

    Joined:
    Mar 20, 2018
    Location:
    Around
    #12
    I agree. Didn’t California have a law that was in the works? I can’t remeber what State, but these companies need to be hit and hit hard for their foolishness.
     
  13. brinary001 macrumors 6502a

    brinary001

    Joined:
    Sep 4, 2012
    Location:
    Columbia, MO, USA
  14. hlfway2anywhere macrumors 65816

    Joined:
    Jul 15, 2006
    #14
  15. ersan191, May 24, 2018
    Last edited: May 24, 2018

    ersan191 macrumors 6502a

    Joined:
    Oct 26, 2013
    #15
  16. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #16
    Austria?
     
  17. profets macrumors 68040

    Joined:
    Mar 18, 2009
    #17
    Yeah, that’s true.

    I almost wondered if those tweets about how good their security is resulted in some people taking it as a challenge to find something.
     
  18. Braderunner macrumors 6502

    Joined:
    Oct 2, 2015
    Location:
    Tralfamadore
  19. danielchow macrumors member

    danielchow

    Joined:
    Aug 11, 2008
    Location:
    Philadelphia, PA
    #19
    Groan. Sloppy programming.
    --- Post Merged, May 24, 2018 ---
    What I thought too: that’s it???
     
  20. Wags macrumors 6502

    Joined:
    Mar 5, 2006
    Location:
    Nebraska, USA
    #20
    But, the new FCC is pro carriers and has said the carriers really have to do about the minimum effort.
     
  21. Tech198 macrumors G5

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #21
    ..and what better sending them a reward ...
     
  22. B4U macrumors 65816

    B4U

    Joined:
    Oct 11, 2012
    #22
  23. FelixDerKater Contributor

    FelixDerKater

    Joined:
    Apr 12, 2002
    Location:
    Nirgendwo in Amerika
  24. definitive macrumors 68000

    definitive

    Joined:
    Aug 4, 2008
    #24
    For all the "uncarrier" stuff that T-Mobile has been pushing for the past few years (which they've already rolled back a lot of), they sure seem to ignore their security.

    They screwed a lot of their customers over in the past when they used Experian to run credit checks, knowing full well that their servers might not be secure, but still went along with it. The result? Experian gets hacked, and customers' personal info gets stolen. Then they started asking people to set support line passwords like a month or two ago after scammers were hijjacking people's lines in order to get into bank accounts, and now this.

    In the end, they quickly sweep this stuff under the rug, and carry on with business as usual.
     
  25. ersan191 macrumors 6502a

    Joined:
    Oct 26, 2013
    #25
    autocomplete got me.
     

Share This Page