A Security Flaw Let Anyone See Exposed Customer Data on a T-Mobile Website

Instances of exposed customer data are not rare anymore, and even T-Mobile has fallen victim to the issue.

As first reported on Thursday by ZDNet, a flaw made it possible for anyone to visit a specific website and obtain T-Mobile customer data, including their home address and account PIN, all without needing a password. In fact, visiting the website, which was a specific subdomain that was originally intended only for T-Mobile’s internal use but could be easily found on Google, made it possible to reveal subscriber data just by inputting a phone number.

The API tool was initially meant to be used by T-Mobile employees, which they would implement to locate customer data — but it wasn’t protected by a password, which made it possible for anyone to use.

As far as what was included in the obtained data, it included a customer’s full name, their billing address, their account PIN, and could even include information pertaining to the customer’s tax identification number. The person looking up the information could also see if an account was past due, or if the account has been suspended.

The report indicates that the flaw was reported to T-Mobile by security researcher Ryan Stevenson last month, and there is no word on just how long the flaw was readily available on the subdomain. However, it appears it could have been as far back as October of last year.

At the time of publication, T-Mobile has pulled the API tool and it appears the flaw has been addressed.

Our Take

It’s sad that these stories are starting to become a regular occurrence. At least in this case it was on a subdomain that many people might not know exists, or even think about trying to find. Still, it’s unfortunate that a site like that, with so much personal information, was so readily available and unsecured.

[via ZDNet]