A vulnerability on a T-Mobile website could have allowed hackers to access customer account data with just a phone number, according to Motherboard.
Security researcher Karan Saini, founder of startup Secure7, discovered the flaw last week and informed T-Mobile about it. T-Mobile quickly patched the bug and offered Saini a $1,000 bug bounty.
The bug, which affected T-Mobile's wsg.t-mobile.com API, could have exposed users' names, email addresses, account numbers, and the IMSI network codes from their phones, Motherboard reports. With an IMSI number, an attacker could track a victim's location as well as intercept calls and text messages.
Exploiting the bug was as easy as running a query for someone else's phone number, the report notes. Moreover, the researcher said the vulnerability would have made it easy for someone with malicious intent to steal the personal information of all T-Mobile customers.
"An attacker could have ran a script to scrape the data … from all 76 million [T-Mobile] customers to create a searchable database with accurate and up-to-date information of all users," Saini told Motherboard in an online chat.
Fortunately, it's no longer possible to do that. In a statement to PCMag, T-Mobile said it resolved the flaw less than 24 hours after Saini reported it.
- 10 Dangerous Data Breaches That Should Freak You Out 10 Dangerous Data Breaches That Should Freak You Out
"We have confirmed that we have shut down all known ways to exploit it," T-Mobile said. "As of this time we've found no evidence of customer accounts affected as a result of this vulnerability."
An anonymous hacker tells Motherboard a different story, however, saying "a bunch of sim swapping skids had the [vulnerability] and used it for quite a while." They apparently used the stolen information obtained via the hack to trick T-Mobile employees into handing over new SIM cards and hijack phone numbers by impersonating the rightful owners of the line.
When Motherboard asked T-Mobile about the hacker's claim, the carrier reiterated that it has found no evidence of customer accounts being affected by the flaw.