Bug Exposed T-Mobile Customer Account Details

Posted by at 2:12 pm on May 25, 2018

The personal account details of T-Mobile customers were easily accessible for an unknown time thanks to a bug in T-Mobile’s web site.

The site in question was a subdomain used by T-Mobile staff to access customer account information when performing customer service tasks. The subdomain, however, was not protected by a password and could be used by anyone who knew how to find it. Using T-Mobile customer phone numbers, anyone could have quickly discovered names, account numbers, addresses, tax information, account payment status, PINs, and more.

Security researcher Ryan Stevenson discovered the vulnerability in April and alerted T-Mobile. T-Mobile pulled the API in question and fixed the bug.

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” said T-Mobile in a statement provided to ZDNet. “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”

A similar bug was discovered on a different T-Mobile subdomain last year.

Leave a Reply

Sign Up For Our Newsletter

Sign up to receive breaking news
as well as receive other site updates

Enter your Email


Preview | Powered by FeedBlitz

Log in

Copyright © 2008 - 2024 · StreetCorner Media , LLC· All Rights Reserved ·