T-Mobile Reveals Vulnerability to Allow Anyone to View Others’ Account Information

A website of the multinational mobile phone operator T-Mobile has recently been exposed to security flaws, allowing anyone to access any other customer’s personal account information by simply providing a mobile number. From the financial data released earlier this month, T-Mobile currently has more than 74 million customers worldwide.

According to foreign media ZDNet, the vulnerability discovered by security researcher Ryan Stevenson exists on a subdomain of the T-Mobile website, promotool.t-mobile[.]com, which is a customer service portal that allows T-Mobile employees Visit the company’s internal tools through this website.

Stevenson found that the subdomain contains a hidden API. It only needs to add the mobile phone number of the T-Mobile client to the end of the URL, and it will return the relevant data of the client. The returned data includes the customer’s full name, e-mail address, billing account number, and tax identification number information in some cases.

In addition, the returned data also includes the customer’s account information, such as whether the bill is overdue or whether the customer suspended its service, and may even include the account PIN code submitted by the customer for technical support.

It is worth noting that this sub-domain can be easily found through search engines, which means that anyone can use this leaked information to hijack other accounts without having much expertise.

Stevenson informed T-Mobile of this flaw in early April of this year. The company quickly disabled the API and awarded him $1,000 as part of the vulnerability bounty program as an encouragement.

A T-Mobile spokesperson said: “The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure. The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”

According to the report of Motherboard, this flaw is almost the same as the T-Mobile website API exposure problem discovered last October. The only difference is that the vulnerability exists in different subdomains. T-Mobile also said at the time that it had found no evidence that customer data had been stolen, but later confirmed that exposed APIs have been discovered by hackers and have been used for more than a few weeks.

It is unclear how long this newly discovered API was exposed before it was banned, but according to historical search records, this subdomain has been running since at least October of last year.

On the other hand, data leakage incidents are not new to T-Mobile. As early as 2015, Experian, which was responsible for processing credit card applications for T-Mobile, had a business unit that had been hacked, resulting in the disclosure of personal information of 15 million T-Mobile customers, including the customer’s full name. , date of birth, home address, social security card number, passport number or driver’s license number, and additional user information (such as information used for credit assessment) and so on.