Home  ›  News  ›

T-Mobile Bug Exposed Customer Account Details

Article Comments  

May 25, 2018, 9:57 AM   by Eric M. Zeman   @zeman_e

The personal account details of T-Mobile customers were easily accessible for an unknown time thanks to a bug in T-Mobile's web site. The site in question was a subdomain used by T-Mobile staff to access customer account information when performing customer service tasks. The subdomain, however, was not protected by a password and could be used by anyone who knew how to find it. Using T-Mobile customer phone numbers, anyone could have quickly discovered names, account numbers, addresses, tax information, account payment status, PINs, and more. Security researcher Ryan Stevenson discovered the vulnerability in April and alerted T-Mobile. T-Mobile pulled the API in question and fixed the bug. "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure," said T-Mobile in a statement provided to ZDNet. "The bug was patched as soon as possible and we have no evidence that any customer information was accessed." A similar bug was discovered on a different T-Mobile subdomain last year.


more news about:




This forum is closed.

This forum is closed.

No messages

Page  1  of 1

Subscribe to news & reviews with RSS Follow @phonescoop on Twitter Phone Scoop on Facebook Subscribe to Phone Scoop on YouTube Follow on Instagram


All content Copyright 2001-2020 Phone Factor, LLC. All Rights Reserved.
Content on this site may not be copied or republished without formal permission.