You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Breaches and Incidents
- T-Mobile bug temporarily let anyone access sensitive customer data using just their phone number

T-Mobile bug temporarily let anyone access sensitive customer data using just their phone number
T-Mobile bug temporarily let anyone access sensitive customer data using just their phone number- May 25, 2018
- |
- Breaches and Incidents
/https://cystory-images.s3.amazonaws.com/shutterstock_259894592.jpg)
A bug in T-Mobile's website temporarily let anyone access the personal details of any customer including their names, addresses and, in some cases, tax identification numbers. The flaw, first reported by ZDNet, was discovered in a T-Mobile subdomain used by staff as a customer care portal. The portal was not protected by a password and available to find via search engines.
The portal contained a hidden API that would display T-Mobile customer data simply be adding a customer's phone number to the end of the web address. The returned data included the customer's full name, postal address, bill account number and, in some cases, tax ID numbers and account PINs used by customers to verify their accounts when contacting phone support. Other account information, such as if a bill was past-due or the service has been suspended, was also displayed.
If accessed, this information could let anyone hijack the customer's accounts and unlock further account details. The affected website has been live since at least October.
T-Mobile pulled the API offline a day after it was reported by security researcher Ryan Stevenson in April, ZDNet reports. Stevenson was also awarded $1000 in a bug bounty. The company said it has currently found "no evidence" that any customer data was inappropriately accessed.
"The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure," a T-Mobile spokesperson told ZDNet. "The bug was patched as soon as possible and we have no evidence that any customer information was accessed."
- + Aware
Get such articles in your inbox
News
-
Previous News Pre-installed malware found on hundreds of cheap Android phones and tablets
- May 25, 2018
- |
- Malware and Vulnerabilities
Popular News
Related News
-
UK Card Fraud Losses Now Accounts for Half of Europe
- December 6, 2019
- |
- Trends, Reports, Analysis
Categories
Get such articles in your inbox
News
-
Previous News Pre-installed malware found on hundreds of cheap Android phones and tablets
- May 25, 2018
- |
- Malware and Vulnerabilities
Popular News
Related News
-
UK Card Fraud Losses Now Accounts for Half of Europe
- December 6, 2019
- |
- Trends, Reports, Analysis
Categories
