Update, 10/12/17, 7:55am PT: T-Mobile said in a statement that it's "not aware of any other open vulnerabilities" and that if it "became aware of any we would work to resolve them immediately."
Original article: 10/11/17, 8:15am PT:
T-Mobile's website exposed customer data to anyone who knew a target's phone number. It's not clear for how long this vulnerability was present in the company's site, but the company said in a statement that it resolved the issue less than 24 hours after security researchers first disclosed it.
Secure7, an information security company, discovered the flaw in T-Mobile's "mydigits.t-mobile.com" website. The company said the vulnerability could be used to collect a T-Mobile customer's first name, account permissions, email address, and user ID with little more than a phone number. Attackers could also glean someone's account status and the IMSI number of the SIM card associated with that person's T-Mobile phone.
The vulnerability apparently lied with the way "mydigits.t-mobile.com" requests information from "wsg.t-mobile.com" when someone logs in. Secure7 said the site made a GET request that required two parameters, "access_token" and "tmoid," to provide access to the account information. Before this vulnerability was addressed, however, it was possible to get at that information without the associated tmoid. Secure7 explained:
Querying the URL with a tmoid that doesn’t belong to you throws a permission error, but it was possible to replace tmoid with a different parameter, msisdn, and then supply with it a valid T-Mobile phone number, which would, without error, return limited data about the T-Mobile account associated with the phone number provided.
Secure7 confirmed the issue was addressed less than 24 hours after its disclosure. Unfortunately, that doesn't seem to mean that T-Mobile customers are out of the woods just yet, because the security company said that "a number of blackhat hackers were actively exploiting the issue until it was fixed" and that they could gather more data than previously thought, including encrypted passwords, security questions, and more.
T-Mobile said in a statement that it "confirmed that we have shut down all known ways to exploit" the vulnerability and that it has "found no evidence of customer accounts affected as a result" of the flaw. It also encouraged researchers to disclose problems like this via its official bug bounty program. The company didn't respond to a request for clarification as to whether or not it has resolved the issue that can expose passwords and the like.