A bug in T-Mobile's website temporarily let anyone access the personal details of any customer including their names, addresses and, in some cases, tax identification numbers. The flaw, first reported by ZDNet, was discovered in a T-Mobile subdomain used by staff as a customer care portal. The portal was not protected by a password and available to find via search engines.
The portal contained a hidden API that would display T-Mobile customer data simply be adding a customer's phone number to the end of the web address. The returned data included the customer's full name, postal address, bill account number and, in some cases, tax ID numbers and account PINs used by customers to verify their accounts when contacting phone support. Other account information, such as if a bill was past-due or the service has been suspended, was also displayed.
If accessed, this information could let anyone hijack the customer's accounts and unlock further account details. The affected website has been live since at least October.
T-Mobile pulled the API offline a day after it was reported by security researcher Ryan Stevenson in April, ZDNet reports. Stevenson was also awarded $1000 in a bug bounty. The company said it has currently found "no evidence" that any customer data was inappropriately accessed.
"The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure," a T-Mobile spokesperson told ZDNet. "The bug was patched as soon as possible and we have no evidence that any customer information was accessed."