Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Critical' T-Mobile Bug Allowed Hackers To Hijack Users' Accounts (vice.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader quotes a report from Motherboard: The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn't been revealed until now. Within a day, T-Mobile classified it as "critical," patched the bug, and gave the researcher a $5,000 reward. That's good news, but it's unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed. The newly disclosed bug allowed hackers to log into T-Mobile's account website as any customer. "It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down," Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat. Shortly after we published this story, a T-Mobile spokesperson sent us a statement: "This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," the emailed statement read. "We found no evidence of customer information being compromised."

16 comments

  1. Correct use of "literally" by El+Cubano · · Score: 2

    "It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down," Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat.

    Someone please give this gentleman a pat on the back for correct use of the word "literally."

    Note: I am not being sarcastic or pedantic. It is just that it such an oft misused word that it is nice to see it used correctly.

    1. Re:Correct use of "literally" by Anonymous Coward · · Score: 0

      Check this out: https://www.merriam-webster.com/words-at-play/misuse-of-literally

    2. Re:Correct use of "literally" by Plus1Entropy · · Score: 2

      Check this out: https://www.merriam-webster.com/words-at-play/misuse-of-literally

      That was far more interesting then anything else I've read on /. today.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  2. But incorrect use of the "post article" button by ls671 · · Score: 1

    Correct use of "literally"

    But incorrect use of the "post article" button.

    This is a dupe:
    https://news.slashdot.org/stor...

    --
    Everything I write is lies, read between the lines.
  3. literally by Anonymous Coward · · Score: 0

    It's literally like...
    like literally
    like literally
    like like
    literally

    If you ever find yourself wanting to use this word. Just don't.

  4. We have top people working on this. TOP PEOPLE! by bobstreo · · Score: 2

    "We found no evidence of customer information being compromised."

    You really have to wonder how hard they actually looked for evidence. and how good their security and logging is if they did not actually find anything...

  5. not even fixed by Anonymous Coward · · Score: 0

    If T-Mobile fixed their account website then why are other people's accounts still accessible by MSISDN without logging in?

    https://duckduckgo.com/?q=%22mim.t-mobile.com%2Fprimary%2FopenPage%3Fmsisdn%3D%22&t=h_&ia=web

    Blatant lies, T-Mobile sucks ass, fix your fucking shit, assholes.

  6. Re:sex 3i7h a dick by filesiteguy · · Score: 1

    Wow, second goatse link in a day. I must get back to /. more often.

    --
    The Kai's Semi-Updated Website Thingy
  7. Every true American must watch this by Anonymous Coward · · Score: 0

    Queue sniffer bots down votes.

    Christopher Bollyn: Making Sense of the War on Terror

    This is the most clear, coherent and concise explanation of the "War on Terror" ever created.

    Every American must watch this to understand what your countrymen have been fighting and dying for.

    The rest of the world already knows this, that's why they don't like you very much right now.

    Do not call yourself a true American until you've watched it.

    You owe it to yourself, your family, your friends, your countrymen and the world, to learn the truth and spread the words.

    For world peace.

    "The evidential trail for 9/11 and the wars in Afghanistan and Iraq runs from PNAC, AIPAC and their cohorts; through the mostly Jewish neo-cons in the Bush Administration; and back to the Israeli government. None of the denials and political machinations can alter that essential reality."
    Dr. Alan Sabrosky, former Director of Studies U.S. Army War College
    "Treason, Betrayal and Deceit: 9/11 and Beynod" (2009)

  8. That explains the text by rwa2 · · Score: 1

    The sent out some SMS alert earlier this month talking about "an industry-wide phone number port out scam"
    https://www.t-mobile.com/custo...

    Not really related, sure, but a good smoke screen... "everyone is having security issues", I suppose.

    1. Re:That explains the text by SeaFox · · Score: 1

      The sent out some SMS alert earlier this month talking about "an industry-wide phone number port out scam"
      https://www.t-mobile.com/custo...

      I noticed that happened right after that story about the man who lost the cryptocurrency after his (2FA used) T-Mobile number was ported to an attacker's account on AT&T because the T-Mobile rep got social engineered it sounds like.

  9. This is a timely repost - it just happened to me. by Anonymous Coward · · Score: 0

    Ported out my # and attacked my bank account. If it werenâ(TM)t for a delay in the text message routing and a notice from my bank app I wouldnâ(TM)t have known for weeks.

  10. Re: This is a timely repost - it just happened to by Anonymous Coward · · Score: 0

    I never got any text from T-Mobile about the attacks as their site claims, BTW.

  11. Re: We have top people working on this. TOP PEOPLE by Anonymous Coward · · Score: 0

    My account was hijacked in November. I'd say whoever was in my T-Mobile account compromised my information.

    I've suspected the whole time it was a massive flaw in their website, because none of my other online accounts were compromised and I've never previously had this happen in 20 years of web browsing.