T-Mobile's Website Put Customer Data At Risk (Updated)

Update, 10/12/17, 7:55am PT: T-Mobile said in a statement that it's "not aware of any other open vulnerabilities" and that if it "became aware of any we would work to resolve them immediately."

Original article: 10/11/17, 8:15am PT:

T-Mobile's website exposed customer data to anyone who knew a target's phone number. It's not clear for how long this vulnerability was present in the company's site, but the company said in a statement that it resolved the issue less than 24 hours after security researchers first disclosed it.

Secure7, an information security company, discovered the flaw in T-Mobile's "mydigits.t-mobile.com" website. The company said the vulnerability could be used to collect a T-Mobile customer's first name, account permissions, email address, and user ID with little more than a phone number. Attackers could also glean someone's account status and the IMSI number of the SIM card associated with that person's T-Mobile phone.

The vulnerability apparently lied with the way "mydigits.t-mobile.com" requests information from "wsg.t-mobile.com" when someone logs in. Secure7 said the site made a GET request that required two parameters, "access_token" and "tmoid," to provide access to the account information. Before this vulnerability was addressed, however, it was possible to get at that information without the associated tmoid. Secure7 explained:

Querying the URL with a tmoid that doesn’t belong to you throws a permission error, but it was possible to replace tmoid with a different parameter, msisdn, and then supply with it a valid T-Mobile phone number, which would, without error, return limited data about the T-Mobile account associated with the phone number provided.

Secure7 confirmed the issue was addressed less than 24 hours after its disclosure. Unfortunately, that doesn't seem to mean that T-Mobile customers are out of the woods just yet, because the security company said that "a number of blackhat hackers were actively exploiting the issue until it was fixed" and that they could gather more data than previously thought, including encrypted passwords, security questions, and more.

T-Mobile said in a statement that it "confirmed that we have shut down all known ways to exploit" the vulnerability and that it has "found no evidence of customer accounts affected as a result" of the flaw. It also encouraged researchers to disclose problems like this via its official bug bounty program. The company didn't respond to a request for clarification as to whether or not it has resolved the issue that can expose passwords and the like.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • 10tacle
    Wonderful. Why can't these companies get better on protecting consumer information? I have T-Mobile and the past couple of weeks I've been getting a lot of spammish type of numbers. I called one back from VOIP through a fake Facebook account so they wouldn't know who I was. It wound up being a number of a regular person who said he did not call my number. He also had T-Mobile. It may or may not be related to this. If it is, I'm wondering if these hackers are running spam autobot calling with stolen mobile phone numbers.
  • dark_lord69
    "Why can't these companies get better on protecting consumer information?"

    And why do they need so much information!? There should be an implied shame with requesting consumer information. Instead, even for an in-store purchase it's like, "Oh, you want to buy that candle? What's your email address? Home phone number? Address? What color is your underwear? What's your date of birth?" The truth is; the only thing they really need is money to pay for that candle or whatever your buying.

    Shame on all companies that even ask for more than just payment.
  • vern72
    And that's how companies are supposed to handle a breach. Not having the vulnerability in the first place would be the only better option.