The personal account details of T-Mobile customers were easily accessible for an unknown time thanks to a bug in T-Mobile’s web site.
The site in question was a subdomain used by T-Mobile staff to access customer account information when performing customer service tasks. The subdomain, however, was not protected by a password and could be used by anyone who knew how to find it. Using T-Mobile customer phone numbers, anyone could have quickly discovered names, account numbers, addresses, tax information, account payment status, PINs, and more.
Security researcher Ryan Stevenson discovered the vulnerability in April and alerted T-Mobile. T-Mobile pulled the API in question and fixed the bug.
“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” said T-Mobile in a statement provided to ZDNet. “The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
A similar bug was discovered on a different T-Mobile subdomain last year.