T-Mobile’s website was sitting with a nasty bug out in the open, and it could have made it ridiculously easy for an attacker to compromise a customer’s data.
A little-known web API visible to the public would allow an attacker to input a T-Mobile customer’s phone number and get details such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a unique identifier number.
The vulnerability was reported to T-Mobile and patched up a little over a week ago, and the company maintains that no customer data was accessed through this method. Despite that, Motherboard reports that a BlackHat hacker actually revealed to them that the vulnerability was, in fact, discovered and used by some in the hacking scene, with the individual proving it by sending the reporter their own account details. There’s even a YouTube video showing the process, uploaded as far back as August 6th.
When pressed again, T-Mobile stood by their position that no customer data was accessed. Either way, the bug should be fixed now, so if anyone has any malicious ideas then they needn’t apply any longer.