T-Mobile Bug Let Anyone See Any Customer's Account Details

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

Re:

[DickBreath]

Rust in Pieces

use pre paid

[DogDude]

For security reasons, I always use pre-paid "plans" with my cell phones. They're cheaper, simpler, and there's no personal information stored outside of payment information (which can be made with any kind of card).

Re:

[KiloByte]

and there's no personal information stored outside of payment information

There are many ways to top-up a pre-paid plan without a card. On the other hand, the "no personal information" thing is why in countries with a Nazi government (such as our current National-Socialist-Theocrat govt in Poland), you have to register your SIM card with the government, and trying to randomize/change the IMEI gets punished harsher than a rape.

Re:

[sabri]

changing IMEI is 3 months to 5 years, rape is 6 months to 10 years

Minimum and maximum codified sentences do not reflect the average sentence handed down by courts.

Re:

[KiloByte]

Right. I paraphrased an inaccurate sound bite, but with the correction, the main point stands: there's a mandatory prison sentence for an action that in a country with sane privacy rules should be mandatory to perform. Just like MAC address when scanning WiFi endpoints, IMEI needs to be randomized or you can be accurately tracked at any time.

Re:

[account_deleted]

Comment removed based on user account deletion

RESTful APIs (sans RBAC) FTW

[xxxJonBoyxxx]

I'll bet $100 that there's a "spec" written by a guy with two years development experience that looks like this:

GET https://api.corpsite.com/customer/ID - returns the customer data (in JSON or XML) for the provided ID

I'll bet another $100 that there's no mention of any authenticated roles needed to access that call and an extra $100 that there were never any tests designed to try to access a customer's data while signed on as a different customer.

Play stupid games...

Re:

[110010001000]

RMS said it best: the problem is the data collection itself. You can add a "password" or "authentication" to it, but the problem is that the data in stored somewhere and anyone with the "authentication" can access it. No data is safe.

Re:

[JackieBrown]

All the phone agents that work there should be fined too! And the janitors! I guarantee you they had as much knowledge of coding as the CEO

Re:

[freudigst]

Hey, the reason the CEO makes that huge sum is that they are responsible for the company. If they want to pay a janitor 1mil per year, he can be held accountable too ;)

Unfortunately for all of their customers, the ability to be informed (and thereby responsible) fails to come with the salary.

Re:

[greenwow]

> by a guy

I assume you mean by "guy" you mean an "Indian guy." The ones I've worked with in the past over forty+ years I've worked in tech in the Seattle area typically only stay a couple of years, create a mess, and then move on. I can't blame them since that's basically the only way you can get a raise.

Re:

[JustAnotherOldGuy]

> by a guy

I assume you mean by "guy" you mean an "Indian guy."

I wish I could disagree, but I can't.

Sadly, the vast majority of Indian coders I've worked with are dreadful. ZERO initiative, sloppy coding, virtually no insight into possible usage issues or corner cases, and their documentation, needless to say, is either nonexistent or completely incomprehensible.

Not all of them, but I'd say 90% of them are as useless as a Reggae band at a Klan rally.

Re:

[dknj]

I actually find a majority of Indian coders I have worked with to be the most skilled and competent. I have found that a strict development process is key in any coding shop and all the complaints you have are a symptom of a bad leader. Zero initiative is solved by showing a backlog and being quick to fire. After a few heads roll, people will start showing initiative to not get fired. Sloppy coding is solved with linting tools and style enforcement upon merge request. Usage issues are not the developer

Re:

[JustAnotherOldGuy]

Instead of being racist and casting a negative light on all, or excuse me a vast majority of, Indian coders how about you take a step back and think about why that kind of culture is allowed to perpetuate in the first place.

Instead of assuming my comments were driven by racism, how about you step back and think about why you would jump to that conclusion. I would make similar comments about any group of developers that exhibited such traits, and I have indeed seen them across all races and genders.

But to be blunt, based on my experience and what I've personally observed in the last 20+ years or so, many of the Indian coders in the dev teams that I've been a part of are not good coders. It's not confined to any one race or sub-

Could get expensive

[Bruce66423]

I can hear the Europeans sharpening their knives to make use of the new regulations about keeping data safe to fine T mobile serious money. At least let's hope so; mistakes like this should result in serious damage - in the hundreds of millions - to organisations profits.

Re:

[JackieBrown]

Exactly! Here's hoping this destroys T-Mobile and we can go back to having 2 carriers like government intended!

Re:

[freudigst]

Europe(ans) could care less about what happens to the data of Americans in America.

I have an idea!

[ausekilis]

Lets create an un-advertised domain that is connected to the internet and allows full access to account information!
Even better, lets make sure there's no authentication required!

Seriously, why isn't this only on some T-Mobile intranet that is locked down to only those people with appropriate need-to-know and signed agreements?
Most list-reader monkeys don't need access to anything more than my name and zip code. Billing may need stuff like bank accounts, but nobody really needs to maintain tax information. They aren't sending me a 1099 come January - mark a credit check as approved and a date, no need for more.

Re:

[DickBreath]

Do you think they were hiring based on quality? Or based on cost? How cheap can we hire them for? Oh, look, this candidate looks like the cheapest of the pile.

Re:

[Dracos]

Account security is why I left T-Mobile in 2007. I'm not looking forward to being their customer again due to the Sprint merger.

Not surprised

[jetkust]

I use T-Mobile's. Though the service works well, pretty much all of their client software is a train wreck, all their apps are unusable, and their customer service is like an episode of the twilight zone. If anything goes wrong, you're better off just creating a new account than trying to get it fixed.

Because security through obscurity is cheaper

[ZNetracer]

Let's face it, security through obscurity is cheaper. Also, there's virtually no real, permanent or painful consequences for a large corporation that doesn't secure their customers data. More than likely, they're the only provider of a service that you need or the other guys do the same thing anyway. Perhaps you'll get a public mea culpa , a "we're sorry" add campaign in public media and one years worth of BS identity protection services. The truth is, they just don't care about your data, except for the m

What a load of crap

[scdeimos]

"The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

Really? By no evidence do you mean that no activity log files were created or stored? Because elsewhere in TFA it says:

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.

Need a New Word

[Anonymous Coward]

This is not a bug. This is gross negligence of some kind and should be called that. A bug implies (to me, and most devs I know) a non-obvious defect in implementation. A mistake.

This is like building a records office and putting it in the lobby of city hall in card board boxes. No one would call that a simple "mistake".

Not a bug

[JustAnotherOldGuy]

This was not a "bug", this was just craptastic coding by some jackass developer.