Thursday, March 28, 2024

T-Mobile Website Bug Allowed Hackers to Access Millions of customer’s Personal Data

A bug on T-Mobile Website allows hackers to steal customers personal data such as email addresses, T-Mobile customer account numbers and their phone’s IMSI, a unique identifier assigned to every device.

The bug was discovered by security researcher Karan Saini which allowed anyone who knew or guessed a customer’s phone number to acquire information that could be utilized for social engineering attacks or even hijack a target’s numbers, reported first by Motherboard.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,”Saini Founder of Secure7 told Motherboard.

It is classified as a very critical data breach and it impacted every T-Mobile phone owner. The bug resides with wsg.t-mobile.com API.

Saini found that he could query for another person’s telephone number and the API would essentially send back a reply containing the other individual’s data.

Also Read North Korean Hackers Stole US-South Korean War Data Plans worth 235 Gigabyte

T-Mobile told Motherboard the issue impacted only for a small part of customers and we investigated and resolved the issue within 24 hours and there is no sign that it was shared more broadly.

Saini said T-Mobile thanked him by offering him a bounty of $1,000 which rewards Whitehat hackers and penetration testers who find bugs and alert company of vulnerabilities.

But Motherboard said After publishing this story, an Anonymous blackhat hacker reached to them and said the bug was found few weeks before and exploited by hackers and it looks like hackers found the bug before Saini.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

They have also uploaded a video on youtube on how to exploit it.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles