T-Mobile Web Portal Bug
News | 05/28/2018

T-Mobile Web Portal Bug Exposed Customer Account Data

About: Lack of Security of T-Mobile Web Portal “promotool.t-mobile.com”, a customer care portal led to the exposure of Customer Account Information of 74 million customers. Let us know how?

| News | T-Mobile Web Portal Bug Exposed Customer Account Data

A research conducted last month confirmed a bug in the T-Mobile customer support portal which exposed personal information including account details and PIN of its 74 million customers.

The T- mobile sub-domain has a customer care portal, “promotool.t-mobile.com”, which contained customer sensitive data is publicly accessible. This portal which is primarily used by the company staff could be easily accessed on search engine, and contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address.

Since the API wasn’t protected by a login screen or any other authentication protection, the portal could be easily accessed by anyone. Hence, customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers could be easily retrieved.

The portal also included the references to account PINs used by customers as a security question when contacting phone support. This sensitive information could be used to hijack customers’ accounts.

After weeks of the bug being exploited by the cyber criminals, it was identified and reported by a security researcher Ryan Stevenson, with the help of a Bounty program which alerts researchers of such vulnerabilities. Several screenshots taken by him as a proof, to show the customer data returned from the API saved the company from this major threat and awarded him with $1000 for the discovery.

After receiving the alert, the company pulled the API offline for a day and added a credential login to protect the tool.

This saved the company from the data exposure of tens of millions of people.

Hits: 82

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866