Home / Security Watch / Bug Exposed T-Mobile Data With Just a Phone Number

Bug Exposed T-Mobile Data With Just a Phone Number

A vulnerability on a T-Mobile website could have allowed hackers to access customer account data with just a phone number, according to Motherboard.

Security researcher Karan Saini, founder of startup Secure7, discovered the flaw last week and informed T-Mobile about it. T-Mobile quickly patched the bug and offered Saini a $1,000 bug bounty.

The bug, which affected T-Mobile's wsg.t-mobile.com API, could have exposed users' names, email addresses, account numbers, and the IMSI network codes from their phones, Motherboard reports. With an IMSI number, an attacker could track a victim's location as well as intercept calls and text messages.

Exploiting the bug was as easy as running a query for someone else's phone number, the report notes. Moreover, the researcher said the vulnerability would have made it easy for someone with malicious intent to steal the personal information of all T-Mobile customers.

"An attacker could have ran a script to scrape the data … from all 76 million [T-Mobile] customers to create a searchable database with accurate and up-to-date information of all users," Saini told Motherboard in an online chat.

Fortunately, it's no longer possible to do that. In a statement to PCMag, T-Mobile said it resolved the flaw less than 24 hours after Saini reported it.


"We have confirmed that we have shut down all known ways to exploit it," T-Mobile said. "As of this time we've found no evidence of customer accounts affected as a result of this vulnerability."

An anonymous hacker tells Motherboard a different story, however, saying "a bunch of sim swapping skids had the [vulnerability] and used it for quite a while." They apparently used the stolen information obtained via the hack to trick T-Mobile employees into handing over new SIM cards and hijack phone numbers by impersonating the rightful owners of the line.

When Motherboard asked T-Mobile about the hacker's claim, the carrier reiterated that it has found no evidence of customer accounts being affected by the flaw.

Read more

Check Also

Samsung Vice Chairman Jay Y. Lee Released from Jail

He is now a free man after a panel of judges ruled to suspend his sentence.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.