Deja Vu? T-Mobile Website Bug Let Anyone See Any Customer’s Account Details via Subscriber’s Phone Number
After Comcast, it appears to be T-Mobile’s turn… The company’s website allowed anyone to access personal account details of any customer as long as they had their phone number. Sounds like something you have already heard? That’s because you have. The website that was storing customers’ personal data wasn’t protected by a password, making customer data vulnerable to exposure for several months.
The telecom giant has now patched the bug.
The website flaw could have been “exploited by anyone who knew where to look, a little-known T-Mobile subdomain that staff use as a customer care portal to access the company’s internal tools,” ZDNet reported. “The subdomain — promotool.t-mobile.com, which can be easily found on search engines — contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address.”
While it was intended for internal use, since the site wasn’t protected with a password and could be found via search engine made it possible for anyone interested to find personal information of T-Mobile customers.
Data included address and account information of T-Mobile subscribers
The data that was potentially accessible to the public for several months included:
- Customer’s full name
- Postal address
- Billing account number
- Customer’s account information (if a bill is past-due or if the service was suspended)
- Tax identification numbers (in some cases)
- References to account PINs used as a security question for support calls
The website bug was discovered and reported by security researcher Ryan Stevenson, who was awarded $1,000 in bug bounty by the company. “The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” T-Mobile said in its statement. “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
While T-Mobile says it has no evidence if any customer information was accessed, that appears to be the company’s cookie cutter response to every time such a bug is discovered. Last year, a similar bug was discovered potentially putting the personal information of all of the 71 million customers of T-Mobile. While the company had initially given a similar statement, it had later on started to alert victims of potential SMS hijacking.