Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com)

Posted by msmash on from the security-woes dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.

3 of 62 comments (clear)

  1. Hacker? by DontBeAMoran · · Score: 3, Insightful

    T-Mobile website allowed hackers to access your account data with just your phone number.

    If all it takes is to type a phone number in the URL then it's not hacking.

    "Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.

    --
    #DeleteFacebook
    1. Re:Hacker? by TooMuchToDo · · Score: 3, Informative

      The US government considers it so, and prosecutes for it.

      "A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release."

      https://www.wired.com/2013/03/...

    2. Re:Hacker? by Anonymous Coward · · Score: 4, Insightful

      Here's the problem with criminalizing accessing publicly accessible data... you put the burden on the *user* of determining what freely available data they "ought" to have access to.

      That's backwards. The custodians of the data have a duty to make it available appropriately... it's not the job of the public to guess at whether public data should be public.