T-Mobile Web Portal Bug Exposed Customer Account Data

A research conducted last month confirmed a bug in the T-Mobile customer support portal which exposed personal information including account details and PIN of its 74 million customers.

The T- mobile sub-domain has a customer care portal, “promotool.t-mobile.com”, which contained customer sensitive data is publicly accessible. This portal which is primarily used by the company staff could be easily accessed on search engine, and contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address.

Since the API wasn’t protected by a login screen or any other authentication protection, the portal could be easily accessed by anyone. Hence, customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers could be easily retrieved.

The portal also included the references to account PINs used by customers as a security question when contacting phone support. This sensitive information could be used to hijack customers’ accounts.

After weeks of the bug being exploited by the cyber criminals, it was identified and reported by a security researcher Ryan Stevenson, with the help of a Bounty program which alerts researchers of such vulnerabilities. Several screenshots taken by him as a proof, to show the customer data returned from the API saved the company from this major threat and awarded him with $1000 for the discovery.

After receiving the alert, the company pulled the API offline for a day and added a credential login to protect the tool.

This saved the company from the data exposure of tens of millions of people.

Hits: 73