A flaw on T-Mobile US’ website allowed hackers to access customer information including email addresses and account numbers using just a phone number, Motherboard reported.
The bug was flagged last week by Karan Saini, founder of digital security company Secure7, who noted in a blog post the issue was discovered while monitoring requests on T-Mobile’s DIGITS web page.
In a statement to Mobile World Live, T-Mobile said it patched the vulnerability less than 24 hours after Saini reported it and “confirmed that we have shut down all known ways to exploit it.”
The operator added it appreciates “responsible reporting of bugs through our Bug Bounty programme to protect consumers from any potential issues.”
Before the bug was patched, Saini indicated querying the service’s URL with a T-Mobile phone number on the website would return “limited data” about the account associated with the number.
Initially, Secure7 confirmed it was possible to access customers’ first name, account permissions, email address, user ID, account status and SIM card number. However, subsequent checks found malicious hackers had been “actively exploiting” the vulnerability prior to the patch to gain additional information including security answers and encrypted passwords, Saini explained in the blog.
A video detailing how to execute the hack was posted to YouTube in August. TechCrunch writer John Biggs later reported a hacker hijacked his T-Mobile account by replacing his SIM card and was, in turn able, to change Biggs’ email and Facebook passwords. The hacker was also able to text from Biggs’ account, soliciting money in the form of Bitcoins from friends.
It is unclear whether Biggs’ experience was enabled by the particular flaw flagged by Secure7. So far, however, T-Mobile said it found “no evidence of customer accounts affected as a result of this vulnerability.”