A bug in the T-Mobile website allowed anyone to access a user’s personal account details by using just their phone number.
The flaw, since fixed, could have been exploited by anyone who knew where to look — a little-known T-Mobile subdomain that staff use as a customer care portal to access the company’s internal tools. The subdomain — promotool.t-mobile.com, which can be easily found on search engines — contained a hidden API that would return T-Mobile customer data simply by adding the customer’s cell phone number to the end of the web address.
While the API was intended only for use by T-Mobile employees to look up account information, it wasn’t password protected and anyone could have used it if they knew where to look.
Data that could be accessed included a customer’s full name, postal address, billing account number, and in some cases tax identification number information. Also included was account info such as whether a bill was past-due or if the service was suspended, as well as references to account PINs used by customers as a security question when contacting support.
The magenta carrier pulled the API offline in April, one day after it was reported by security Ryan Stevenson, who was later awarded $1,000 in a bug bounty.
A T-Mobile spokesperson said: “The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.”
“The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.