T-Mobile bug let anyone see any customer's account details

Exclusive: The exposed lookup tool let anyone run a customer's phone number -- and obtain their home address and account PIN, used to contact phone support.

A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number.

The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.

The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

The data also included references to account PINs used by customers as a security question when contacting phone support. Anyone could use that information to hijack accounts.

T-Mobile pulled the API offline a day after it was reported in early April by security researcher Ryan Stevenson, who was later awarded $1,000 in a bug bounty.

Stevenson sent ZDNet several screenshots of customer data returned from the working API.

A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure."

"The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

T-Mobile had 74 million customers, as of the company's last earnings call earlier this month.

The bug is nearly identical to an exposed API issue found last year that was located on a different T-Mobile subdomain, as reported by Motherboard.

Although T-Mobile said at the time it found "no evidence" that customer data was stolen, it later transpired that hackers already found the exposed API and had been exploiting the bug for weeks. The hackers proved this by providing the Motherboard reporter with his own data.

It's not known how long this most recent API was exposed. A historical search of the portal on the Wayback Machine suggests the site has been live since at least October.

T-Mobile is currently in a $26 billion merger agreement with Sprint. The deal is expected to close, subject to regulatory approval, next year.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More