T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.

Yay!

[thegreatbob]

Guess what service I'm glad I nev... well, shit. A time to be glad I'm not the actual account owner (family plan).

Hacker?

[DontBeAMoran]

T-Mobile website allowed hackers to access your account data with just your phone number.

If all it takes is to type a phone number in the URL then it's not hacking.

"Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.

Re:Hacker?

[TooMuchToDo]

The US government considers it so, and prosecutes for it.

"A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release."

https://www.wired.com/2013/03/...

Re:Hacker?

Try using that excuse when going in a stranger's house

Re:Hacker?

That's because the U.S.A. government is run by a bunch of technology-ignorant fools.

Re:Hacker?

Not even close. This is more like someone driving to T-Mobile headquarters, walking around the lobby, noticing a door propped open that had a box in it that says, "sensitive user information," and you saying, "don't mind if I do."

But let's go with your example, Let's say the homeowner left sensitive information lying around and you started taking pictures of it with your phone. I don't know what the law states in that situation but I would find it hard to believe you were just taking pictures of the countertops.

Re:Hacker?

Here's the problem with criminalizing accessing publicly accessible data... you put the burden on the *user* of determining what freely available data they "ought" to have access to.

That's backwards. The custodians of the data have a duty to make it available appropriately... it's not the job of the public to guess at whether public data should be public.

Re:Hacker?

[brewthatistrue]

Sometimes it's obvious you shouldn't be doing that, and sometimes it's not.

People get in trouble for both scenarios.

e.g. URL munging the application website at Harvard to see application status results in offers being retracted

https://arstechnica.com/uncate...

Re:Hacker?

[jimbolauski]

The question is and always has been is it reasonable to to take. If a kid leaves their bike out in the front yard is it reasonable to assume their giving away their bike. If someone leaves their garage door open is it reasonable to pilfer their tools? Being deficient in understanding societal norms for what is acceptable is not a good defense.

That's cool

[HideyoshiJP]

All my other info is out there anyway. If they already know my phone number, there's not much else they need. Thanks, Equifax.

It wasn't a bug

[cordovaCon83]

It was a feature. But don't tell the press that!

Equifax can learn a thing or two..

Seems like Equifax can learn a thing or two from T-Mobile.. they're much better at fixing bugs/security holes

Re:Article is too long, superefluous

[ThisIsNotAName]

"T-Mobile didn't find any evidence that hackers exploited, much less even found, the vulnerability."

Given that those data accesses didn't throw any security errors, I don't trust that T-Mobile would have logged any suspicious activity related to this vulnerability.

I hope that their security is more comprehensive than that, I just don't trust that it is.

Re:Article is too long, superefluous

[Marxist+Hacker+42]

I pretty much trust that it isn't. Privacy is largely overrated, and any number attached to your name can eventually be found.

Re:Article is too long, superefluous

[ThisIsNotAName]

Do you have anything to back that up?

All I found in the original article from T-Mobile was:

Contrary to Saini's findings, T-Mobile told Motherboard the issue impacted only a small part of their customers. In a statement sent to Motherboard, the company said that "we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly."

As far as I can tell, that doesn't clarify whether they have safeguards to detect the accesses and nothing came up or if they simply don't have anything in place and therefore didn't detect anything.

You think thatâ(TM)s bad?

My phone company back in the 1980s would accidentally mail me a thick book with everyoneâ(TM)s phone number and physical address. I really could have done some crazy stuff with it, but the most I did with it was to call my classmateâ(TM)s house..

Re:You think thatâ(TM)s bad?

[Zero__Kelvin]

yeah ... this isn't that.

Re: You think thatâ(TM)s bad?

[Zero__Kelvin]

First of all, most landline phone numbers weren't account logins for bank accounts, second of all there is this little piece of information you don't seem to understand. There is a third and fourth thing that makes it different as well, but you get the idea .. or not. Probably not.

Re: You think thatâ(TM)s bad?

[Zero__Kelvin]

Sure, if that wasn't actually a now defunct mobile number you could :^)

Re:X-Nokia-MSISDN

[Zero__Kelvin]

I think there might be a flaw in your master plan there Pinky.

Re:Article is too long, superefluous

[networkBoy]

I'm thinking they looked back in access logs and didn't see any sequential or high rate queries. While that's not even remotely 100% it is a decent indicator of not having been majorly exploited.

Re:Article is too long, superefluous

[ThisIsNotAName]

That's what I would assume too. Though, if I were trying to exploit it, I'd try to do it gradually over a long time to not spike activity and you wouldn't necessarily have to make a lot of effort to fly under the radar. Probably just try to vary your IP addresses but keep them within T-Mobile's service areas. Though it probably depends on what kind of traffic analysis they do.

How likely they'd be to find that would partly depend on how long the vulnerability was present and them keeping their logs for a sufficient length of time. It may have aged out of their logs. It would also depend whether the vulnerability was limited to a small subset, most or all of their customers. T-Mobile's response indicated that it was just some customers. If it didn't work for others and threw a flag it would probably have been caught quickly. Alternatively, to T-Mobile, "some" might mean "all".

I'm increasingly skeptical of large companies handling security well in light of other news: Equifax, Yahoo, etc.

Of course, all of this is coming from someone who has had little training and done very little work with computer security.

Re:X-Nokia-MSISDN

[Zero__Kelvin]

No. The plan where you get every T-Mobile customer to access your website Pinky. But also that too.

Re:X-Nokia-MSISDN

[Zero__Kelvin]

Yep ... you are one stupid motherfucker.

Re:X-Nokia-MSISDN

[Zero__Kelvin]

Time to take your meds. Off you go now ...

Re:Article is too long, superefluous

[networkBoy]

I've had a fair amount of experience etc. with this. Like I said, not 100% and as to being sly there are two MOs:
1) like you said, sly, spread out, not searching blocks of numbers
2) crash and grab, dump as much as fast as possible before getting caught.

If they recognised the value and wanted to get at the data as long as possible, then yes #1 is how they'd go, and reviewing the logs wouldn't be all that reliable.

Re: X-Nokia-MSISDN

[Zero__Kelvin]

If you want to be taken seriously by the people who belong here create and account and log in. No real slashdotter gives a fuck what some idiot rambles on about as an AC, because we know what AC status is for and how it is being abused.

Re: X-Nokia-MSISDN

[Zero__Kelvin]

Slashdot lost all hope long ago My incompetent friend.

Re: T-Mobile is Magenta. I like Pink.

[Zero__Kelvin]

Well at least you finally posted something worthwhile anyeah. Pink is fucking awesome!

1-805-637-7243 Directly to Voice Mail

[Trax3001BBS]

"call 1-805-637-7243, otherwise known as the "Voice Mail Back Door number." When you hear the prompt, i.e. "Welcome to the T-Mobile
messaging center. Please enter the 10-digit number of the person you
are trying to reach," enter the number. You will then be connected
directly with that person's voicemail. Press "1" to leave a message,
leave your message and hang up." http://answers.google.com/answ...

Maybe if there is one of these

[bravecanadian]

Every day like their has been for a few days now... IT will finally be forced to turn into a profession.

Maybe we alll....

[MoarSauce123]

....should just get a new identity and move. We get random names, SSNs, and addresses assigned and start our lives over from scratch.