A bug on T-Mobile Website allows hackers to steal customers personal data such as email addresses, T-Mobile customer account numbers and their phone’s IMSI, a unique identifier assigned to every device.
The bug was discovered by security researcher Karan Saini which allowed anyone who knew or guessed a customer’s phone number to acquire information that could be utilized for social engineering attacks or even hijack a target’s numbers, reported first by Motherboard.
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,”Saini Founder of Secure7 told Motherboard.
It is classified as a very critical data breach and it impacted every T-Mobile phone owner. The bug resides with wsg.t-mobile.com API.
Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.
T-Mobile told Motherboard the issue impacted only for a small part of customers and we investigated and resolved the issue within 24 hours and there is no sign that it was shared more broadly.
Saini said T-Mobile thanked him by offering him a bounty of $1,000 which rewards Whitehat hackers and penetration testers who find bugs and alert company of vulnerabilities.
But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.
“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.
They have also uploaded a video on youtube on how to exploit it.