An unsecured T-Mobile tool potentially gave access to millions of customers’ details to anyone with a URL and a phone number, according to ZDNet. The bug exposed an internal T-Mobile tool to anyone who knew where to look, the report says, needing just a phone number to expose the customer’s full name, billing address, account number, and in some cases tax ID info.
The flaw was exposed by a security researcher, Ryan Stephenson, who first reported the bug to T-Mobile’s bug bounty program in return for $1,000. T-Mobile pulled the website soon after the bug was reported in early April.
In a statement, T-Mobile said: “The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure. The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
Although this is clearly exactly the kind of thing a bug bounty program is designed to find and fix before it can be exploited, the data breach is worrying in the context of increased “port-out” fraud on mobile accounts in recent years. As phone numbers are increasingly used as a recovery tool for highly valuable services like online banking or email, a common scam involves an attacker calling your wireless provider to port out your service to a different provider, or switch a particular phone number to a new SIM card. Once that is done, any recovery info for banking, email, or anything else will be sent to the attacker rather than the victim. Unless a wireless account is secured with a strong PIN or a second authentication method, providers often use ZIP codes, birthdays, and account info to verify the caller — exactly the kind of data this breach would have exposed.