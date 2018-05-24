Become a fan of Slashdot on Facebook

 


T-Mobile Bug Let Anyone See Any Customer's Account Details

Posted by msmash
An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

  • For security reasons, I always use pre-paid "plans" with my cell phones. They're cheaper, simpler, and there's no personal information stored outside of payment information (which can be made with any kind of card).

    • and there's no personal information stored outside of payment information

      There are many ways to top-up a pre-paid plan without a card. On the other hand, the "no personal information" thing is why in countries with a Nazi government (such as our current National-Socialist-Theocrat govt in Poland), you have to register your SIM card with the government, and trying to randomize/change the IMEI gets punished harsher than a rape.

  • I'll bet $100 that there's a "spec" written by a guy with two years development experience that looks like this:

    GET https://api.corpsite.com/customer/ID - returns the customer data (in JSON or XML) for the provided ID

    I'll bet another $100 that there's no mention of any authenticated roles needed to access that call and an extra $100 that there were never any tests designed to try to access a customer's data while signed on as a different customer.

    Play stupid games...
    • RMS said it best: the problem is the data collection itself. You can add a "password" or "authentication" to it, but the problem is that the data in stored somewhere and anyone with the "authentication" can access it. No data is safe.

  • I can hear the Europeans sharpening their knives to make use of the new regulations about keeping data safe to fine T mobile serious money. At least let's hope so; mistakes like this should result in serious damage - in the hundreds of millions - to organisations profits.

  • Lets create an un-advertised domain that is connected to the internet and allows full access to account information!
    Even better, lets make sure there's no authentication required!

    Seriously, why isn't this only on some T-Mobile intranet that is locked down to only those people with appropriate need-to-know and signed agreements?
    Most list-reader monkeys don't need access to anything more than my name and zip code. Billing may need stuff like bank accounts, but nobody really needs to maintain tax information.

  • I use T-Mobile's. Though the service works well, pretty much all of their client software is a train wreck, all their apps are unusable, and their customer service is like an episode of the twilight zone. If anything goes wrong, you're better off just creating a new account than trying to get it fixed.

