Kane Gamble, a British teenager who admitted in a court last month that he tried to hack into the computers of some of the top US officials, has been trying to look for vulnerabilities in T-Mobile. According to a latest report, the hacker found a critical security bug in a T-Mobile website that enabled attackers to hijack and take control of T-Mobile's customer accounts.
“It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down."
Gamble, now 18, pleaded guilty to ten charges of attempted intrusions from late 2015 to mid 2016, during which he targeted high level officials in the US Department of Justice. These included former CIA chief John Brennan; James Clapper, the Director of National Intelligence in the Obama administration; Jeh Johnson, the former US Secretary of Homeland Security; and John Holdren, Obama’s former science and technology adviser.
T-Mobile continues to deal with security issues
The telecom giant has been dealing with a number of security issues in the past few months. Last year it was revealed that data of over 76 million T-Mobile subscribers was potentially exposed as hackers exploited a website bug for months.
The latest report on T-Mobile security bugs comes from a security researcher who has been himself charged for cyber intrusions. While Gamble awaits sentencing for the crimes that he committed when he was 15, he has been reporting bugs, one of which was discovered back in December. "
Everyone that was logging in could’ve had their account hacked,” Gamble told Motherboard about the latest T-Mobile bug.
"You could monitor it for a very long time and honestly I don’t think they’d ever suspect it."
While the vulnerability was discovered in December, it has only now been revealed. It remains unclear why wasn't this bug revealed and fixed more promptly. To the carrier's credit, after learning about the vulnerability, T-Mobile fixed it in less than 24 hours and reportedly awarded hacker $5,000 for the discovery.
"This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," T-Mobile said in its statement. "We found no evidence of customer information being compromised."
- The bug report isn't publicly available and cannot be verified; we have written to T-Mobile for more details and will update this space as we learn more.