Mobile Website Glitch Allowed Hackers To Access Private Customer Data For Months

Mindy Sparks
October 12, 2017

A bug on a T-Mobile website allowed hackers to access personal data - including email addresses, T-Mobile account numbers, and people's phone's IMSI - with just a mobile phone number up until last week.

Motherboard spoke to Karan Saini, a security researcher from Secure7, who said that all 76 million T-Mobile subscribers could have had their data exposed through this vulnerability.

To hijack a targeted individual's social media accounts and other communications linked to a particular phone number, attackers first used the vulnerable API to pull essential account data from T-Mobile's systems. They could have exploited the data to "socially engineer", or basically con, T-Mobile technicians into handing over replacement SIMs by pretending they're the owners of the line.

"We were alerted to an issue that we investigated and fully resolved in less than 24 hours".

All it takes is rendering script with an authorized token to T-Mobile's site and plugging in a phone number at the end of it. Exploits of this type have also affect AT&T iPad accounts and MetroPCS.

With Equifax data breach still lurking in everyone's mind and Accenture's irresponsible security protections only having come to light this week, this is yet another potential mega breach, where hackers didn't even need to breach into T-Mobile's network as everything was available to them thanks to a security bug. The bug was fixed on Friday after the company was approached by a security reporter.

However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't shared broadly, telling Motherboard that "a bunch of SIM swapping kids had [the hack] and used it for quite a while". What's really surprising about this particular attack vector is that hackers only needed a T-Mobile customer's phone number to gain access to private account details.

Mashable has reached out to T-Mobile for comment about this breech, and will update the story if we hear back.

Other reports by Iphone Fresh

Discuss This Article