- A new T-Mobile bug put millions of users at risk due to a vulnerability in one of the carrier’s subdomains.
- The “Customer Care Portal” designed by T-Mobile allows anyone with a phone number of a T-Mobile user to get access to customer data.
- The carrier has already been in the midst of controversy with similar bugs in the past that put users at risk.
T-Mobile is in the midst of data privacy controversy yet again. The phone carrier company has a vulnerability in its customer care portal which allows anyone with phone numbers of the carrier's users to get access to customer data. Simply adding a T-Mobile phone number at the end of a URL allows users to get access to information like account pins, account status information and the customer’s name. Some users can also have their tax identification numbers revealed.
The bug is present in a publicly available subdomain, and the exploit was discovered by security researcher Ryan Stevenson following T-Mobile’s claims of offering bounties to anyone who discovers bugs on the website. The bug was reported in early April, and a reward of $1,000 was awarded to the researcher. The T-Mobile API was pulled as soon as the company was alerted of the exploit.
T-Mobile customers who believe their data has been compromised can get help from the Privacy and Security Resources page and work with the carrier to find a solution. With the carrier lacking a web security team and multiple security breaches in the recent past, people may slowly begin to lose trust and move on to other carriers. Unlike other carriers, T-Mobile does not have a web security team to deal with potential privacy breaches quickly.
The impact of the exploit is yet to be identified as data may have already been stolen from the website by attackers. The bug has already been patched, and there seems to be no evidence of customer information being stolen according to the carrier. A similar bug was found last fall, and despite the carrier making claims that the bug was patched, attackers were able to use the exploit which puts the carrier’s claims of the user data not being stolen into question.