Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Privacy Security

T-Mobile Bug Let Anyone See Any Customer's Account Details (zdnet.com) 40

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

This discussion has been archived. No new comments can be posted.

T-Mobile Bug Let Anyone See Any Customer's Account Details

Comments Filter:
  • For security reasons, I always use pre-paid "plans" with my cell phones. They're cheaper, simpler, and there's no personal information stored outside of payment information (which can be made with any kind of card).
    • and there's no personal information stored outside of payment information

      There are many ways to top-up a pre-paid plan without a card. On the other hand, the "no personal information" thing is why in countries with a Nazi government (such as our current National-Socialist-Theocrat govt in Poland), you have to register your SIM card with the government, and trying to randomize/change the IMEI gets punished harsher than a rape.

      • Comment removed based on user account deletion
  • I'll bet $100 that there's a "spec" written by a guy with two years development experience that looks like this:

    GET https://api.corpsite.com/customer/ID - returns the customer data (in JSON or XML) for the provided ID

    I'll bet another $100 that there's no mention of any authenticated roles needed to access that call and an extra $100 that there were never any tests designed to try to access a customer's data while signed on as a different customer.

    Play stupid games...
    • RMS said it best: the problem is the data collection itself. You can add a "password" or "authentication" to it, but the problem is that the data in stored somewhere and anyone with the "authentication" can access it. No data is safe.
    • > by a guy

      I assume you mean by "guy" you mean an "Indian guy." The ones I've worked with in the past over forty+ years I've worked in tech in the Seattle area typically only stay a couple of years, create a mess, and then move on. I can't blame them since that's basically the only way you can get a raise.

      • > by a guy

        I assume you mean by "guy" you mean an "Indian guy."

        I wish I could disagree, but I can't.

        Sadly, the vast majority of Indian coders I've worked with are dreadful. ZERO initiative, sloppy coding, virtually no insight into possible usage issues or corner cases, and their documentation, needless to say, is either nonexistent or completely incomprehensible.

        Not all of them, but I'd say 90% of them are as useless as a Reggae band at a Klan rally.

        • by dknj ( 441802 )

          I actually find a majority of Indian coders I have worked with to be the most skilled and competent. I have found that a strict development process is key in any coding shop and all the complaints you have are a symptom of a bad leader. Zero initiative is solved by showing a backlog and being quick to fire. After a few heads roll, people will start showing initiative to not get fired. Sloppy coding is solved with linting tools and style enforcement upon merge request. Usage issues are not the developer

          • Instead of being racist and casting a negative light on all, or excuse me a vast majority of, Indian coders how about you take a step back and think about why that kind of culture is allowed to perpetuate in the first place.

            Instead of assuming my comments were driven by racism, how about you step back and think about why you would jump to that conclusion. I would make similar comments about any group of developers that exhibited such traits, and I have indeed seen them across all races and genders.

            But to be blunt, based on my experience and what I've personally observed in the last 20+ years or so, many of the Indian coders in the dev teams that I've been a part of are not good coders. It's not confined to any one race or sub-

  • I can hear the Europeans sharpening their knives to make use of the new regulations about keeping data safe to fine T mobile serious money. At least let's hope so; mistakes like this should result in serious damage - in the hundreds of millions - to organisations profits.

  • I have an idea! (Score:4, Insightful)

    by ausekilis ( 1513635 ) on Thursday May 24, 2018 @03:06PM (#56668428)

    Lets create an un-advertised domain that is connected to the internet and allows full access to account information!
    Even better, lets make sure there's no authentication required!

    Seriously, why isn't this only on some T-Mobile intranet that is locked down to only those people with appropriate need-to-know and signed agreements?
    Most list-reader monkeys don't need access to anything more than my name and zip code. Billing may need stuff like bank accounts, but nobody really needs to maintain tax information. They aren't sending me a 1099 come January - mark a credit check as approved and a date, no need for more.

  • I use T-Mobile's. Though the service works well, pretty much all of their client software is a train wreck, all their apps are unusable, and their customer service is like an episode of the twilight zone. If anything goes wrong, you're better off just creating a new account than trying to get it fixed.
  • Let's face it, security through obscurity is cheaper. Also, there's virtually no real, permanent or painful consequences for a large corporation that doesn't secure their customers data. More than likely, they're the only provider of a service that you need or the other guys do the same thing anyway. Perhaps you'll get a public mea culpa , a "we're sorry" add campaign in public media and one years worth of BS identity protection services. The truth is, they just don't care about your data, except for the m
  • by scdeimos ( 632778 ) on Thursday May 24, 2018 @04:58PM (#56669234)

    "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

    Really? By no evidence do you mean that no activity log files were created or stored? Because elsewhere in TFA it says:

    Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.

  • Need a New Word (Score:2, Insightful)

    by Anonymous Coward

    This is not a bug. This is gross negligence of some kind and should be called that. A bug implies (to me, and most devs I know) a non-obvious defect in implementation. A mistake.

    This is like building a records office and putting it in the lobby of city hall in card board boxes. No one would call that a simple "mistake".

  • This was not a "bug", this was just craptastic coding by some jackass developer.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...