A couple of months after it was discovered that a vulnerability with the T-Mobile website allowed hackers to log into any customer’s account, another vulnerability with T-Mo’s site has been found.
Security researcher Ryan Stevenson recently found that a T-Mobile subdomain would allow a person to access customer data just by entering their phone number. According to ZDNet, the subdomain was promotool.t-mobile.com and was primarily used by customer care, but it contained an API that’d show customer data just by adding a phone number to the end of a web address.
When this bug was taken advantage of, it’d show customer info like a full name, address, billing account number and account info, references to account PINs, and sometimes details like tax identification numbers.
The bug was discovered by Stevenson in early April and was reported to T-Mobile after. T-Mobile took the API offline the following day and gave Stevenson $1,000 as a bug bounty.
Here’s what T-Mobile had to say in response to the issue:
“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.
“The bug was patched as soon as possible and we have no evidence that any customer information was accessed.”
This is a pretty serious security issue, especially when you consider that T-Mobile’s website recently had a similar problem that would let a malicious party log in to anyone’s account. In both instances, T-Mo has said that there’s been no evidence that customer info was compromised, but having two security bugs pop up within months of each other is still unsettling. Hopefully we don’t learn of a third any time soon.