A new report has revealed that the T-Mobile website recently suffered from a privacy bug.
Security researcher Karan Saini says that a flaw with the T-Mobile website would allow an attacker to access account data, including a customer’s name and IMSI number, by knowing or guessing that customer’s phone number. Here’s what Secure7’s Saini told Motherboard about the bug:
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users.”
Saini warned T-Mobile about this bug, and T-Mo patched it last Friday. T-Mobile says that there’s no indication that the flaw was shared broadly and that only a small portion of the customer base was affected. In return for reporting the bug, T-Mobile gave Saini $1,000 and encouraged others to report any bugs to firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Because this bug could have given access to the personal data of customers, it’s a pretty serious issue. The good news is that it sounds like T-Mobile fixed it up fairly quickly and that it doesn’t appear that anyone exploited the vulnerability before it was patched.