Wednesday, October 11, 2017

T-Mobile Website Flaw Exposed Customer Data -

A flaw on T-Mobile's website allowed hackers to access T-Mobile subscriber information using just a phone number. The flaw, discovered by security researcher Karan Saini, allowed intruders to obtain users' email addresses, T-Mobile account numbers, and the their phone's unique IMSI identifier. With the data freely exposed, nothing would have stopped a hacker from running a script to harvest this data at scale, using little more than an obtained (or guessed) T-Mobile subscriber phone number.

There are parallels to the time AT&T left data unprotected, allowing anyone to access the personal data of iPad owners on the company's network.

In this instance, the flaw was within the wsg.t-mobile.com API, and was fixed shortly after T-Mobile was notified.

"T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini told Motherboard in an e-mail exchange.

"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.

"We appreciate responsible reporting of bugs through our Bug Bounty program to protect our customers and encourage researchers to contact us at: secure@t-mobile.com, security@t-mobile.com, bug-bounty@t-mobile.com," a T-Mobile spokesperson said of the flaw.

While T-Mobile claims that nobody exploited the flaw, several hackers have informed Motherboard that isn't the case. A "bunch of sim swapping skids had the [vulnerability] and used it for quite a while," the hackers claim. T-Mobile however, continues to insist that the company "found no evidence of customer accounts affected as a result of this vulnerability."

Let's block ads! (Why?)


see source

No comments:

Post a Comment