Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile Bug Let Anyone See Any Customer's Account Details (zdnet.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

40 comments

  1. What is RIP? by Anonymous Coward · · Score: 0

    In death context

    1. Re: What is RIP? by Anonymous Coward · · Score: 0

      Rest In Pussy

    2. Re:What is RIP? by DickBreath · · Score: 1

      Rust in Pieces

      --

      I'll see your senator, and I'll raise you two judges.
  2. use pre paid by DogDude · · Score: 1

    For security reasons, I always use pre-paid "plans" with my cell phones. They're cheaper, simpler, and there's no personal information stored outside of payment information (which can be made with any kind of card).

    --
    I don't respond to AC's.
    1. Re:use pre paid by KiloByte · · Score: 2

      and there's no personal information stored outside of payment information

      There are many ways to top-up a pre-paid plan without a card. On the other hand, the "no personal information" thing is why in countries with a Nazi government (such as our current National-Socialist-Theocrat govt in Poland), you have to register your SIM card with the government, and trying to randomize/change the IMEI gets punished harsher than a rape.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:use pre paid by Anonymous Coward · · Score: 0

      gets punished harsher than a rape

      changing IMEI is 3 months to 5 years, rape is 6 months to 10 years

    3. Re:use pre paid by houghi · · Score: 1

      In Belgium you also need to register the SIM card. This was done after the Brussels Airport bombs and the fact that they found a lot of burned phones with the terrorists.

      --
      Don't fight for your country, if your country does not fight for you.
    4. Re:use pre paid by sabri · · Score: 1

      changing IMEI is 3 months to 5 years, rape is 6 months to 10 years

      Minimum and maximum codified sentences do not reflect the average sentence handed down by courts.

      --
      I'm not a complete idiot... Some parts are missing.
    5. Re:use pre paid by KiloByte · · Score: 1

      Right. I paraphrased an inaccurate sound bite, but with the correction, the main point stands: there's a mandatory prison sentence for an action that in a country with sane privacy rules should be mandatory to perform. Just like MAC address when scanning WiFi endpoints, IMEI needs to be randomized or you can be accurately tracked at any time.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. RESTful APIs (sans RBAC) FTW by xxxJonBoyxxx · · Score: 1

    I'll bet $100 that there's a "spec" written by a guy with two years development experience that looks like this:

    GET https://api.corpsite.com/customer/ID - returns the customer data (in JSON or XML) for the provided ID

    I'll bet another $100 that there's no mention of any authenticated roles needed to access that call and an extra $100 that there were never any tests designed to try to access a customer's data while signed on as a different customer.

    Play stupid games...

    1. Re:RESTful APIs (sans RBAC) FTW by 110010001000 · · Score: 1

      RMS said it best: the problem is the data collection itself. You can add a "password" or "authentication" to it, but the problem is that the data in stored somewhere and anyone with the "authentication" can access it. No data is safe.

    2. Re:RESTful APIs (sans RBAC) FTW by Anonymous Coward · · Score: 0

      This should be prosecuted fully. Negligent and highly illegal exposure of private data. Massive fines, huge hit to the bottom line, CEOs seeing their precious share price hammered. Until we start doing that every time something like this is uncovered, there is absolutely no chance that companies will care or make any effort to prevent it from happening.

    3. Re:RESTful APIs (sans RBAC) FTW by JackieBrown · · Score: 1

      All the phone agents that work there should be fined too! And the janitors! I guarantee you they had as much knowledge of coding as the CEO

    4. Re:RESTful APIs (sans RBAC) FTW by Anonymous Coward · · Score: 0

      Hey, the reason the CEO makes that huge sum is that they are responsible for the company. If they want to pay a janitor 1mil per year, he can be held accountable too ;)

    5. Re:RESTful APIs (sans RBAC) FTW by greenwow · · Score: 1

      > by a guy

      I assume you mean by "guy" you mean an "Indian guy." The ones I've worked with in the past over forty+ years I've worked in tech in the Seattle area typically only stay a couple of years, create a mess, and then move on. I can't blame them since that's basically the only way you can get a raise.

    6. Re:RESTful APIs (sans RBAC) FTW by Anonymous Coward · · Score: 0

      I tested this! I was let go, because all the problems I kept finding "made" them miss deadlines.

      And you are wrong. The spec was written by a guy with 5+ years of experience ... in India. Although I am not sure if whipping something up in Tibco qualifies as "development" experience.

      But I think you owe me $200?

      I'm so glad to be out of there. :D

    7. Re:RESTful APIs (sans RBAC) FTW by JustAnotherOldGuy · · Score: 1

      > by a guy

      I assume you mean by "guy" you mean an "Indian guy."

      I wish I could disagree, but I can't.

      Sadly, the vast majority of Indian coders I've worked with are dreadful. ZERO initiative, sloppy coding, virtually no insight into possible usage issues or corner cases, and their documentation, needless to say, is either nonexistent or completely incomprehensible.

      Not all of them, but I'd say 90% of them are as useless as a Reggae band at a Klan rally.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    8. Re:RESTful APIs (sans RBAC) FTW by dknj · · Score: 1

      I actually find a majority of Indian coders I have worked with to be the most skilled and competent. I have found that a strict development process is key in any coding shop and all the complaints you have are a symptom of a bad leader. Zero initiative is solved by showing a backlog and being quick to fire. After a few heads roll, people will start showing initiative to not get fired. Sloppy coding is solved with linting tools and style enforcement upon merge request. Usage issues are not the developers problem but should be coming from your QA team building valid tests for your described corner cases. Documentation is solved with peer review and spot checking. Peers ensure code is documented to satisfaction, scrum master ensures documentation is a task that gets completed.

      Instead of being racist and casting a negative light on all, or excuse me a vast majority of, Indian coders how about you take a step back and think about why that kind of culture is allowed to perpetuate in the first place.

      cue response: "this was at a company a long time ago, i've since moved on and i have added indians to the list of races i don't work with anymore"

      -dk

    9. Re:RESTful APIs (sans RBAC) FTW by freudigst · · Score: 1

      Hey, the reason the CEO makes that huge sum is that they are responsible for the company. If they want to pay a janitor 1mil per year, he can be held accountable too ;)

      Unfortunately for all of their customers, the ability to be informed (and thereby responsible) fails to come with the salary.

    10. Re:RESTful APIs (sans RBAC) FTW by JustAnotherOldGuy · · Score: 1

      Instead of being racist and casting a negative light on all, or excuse me a vast majority of, Indian coders how about you take a step back and think about why that kind of culture is allowed to perpetuate in the first place.

      Instead of assuming my comments were driven by racism, how about you step back and think about why you would jump to that conclusion. I would make similar comments about any group of developers that exhibited such traits, and I have indeed seen them across all races and genders.

      But to be blunt, based on my experience and what I've personally observed in the last 20+ years or so, many of the Indian coders in the dev teams that I've been a part of are not good coders. It's not confined to any one race or sub-group. IT'S BASED ON WHAT I'VE SEEN, not any nebulous dislike of some group or race or whatever. It may not be politically correct, but it is what I have seen and experienced.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  4. Could get expensive by Bruce66423 · · Score: 1

    I can hear the Europeans sharpening their knives to make use of the new regulations about keeping data safe to fine T mobile serious money. At least let's hope so; mistakes like this should result in serious damage - in the hundreds of millions - to organisations profits.

    1. Re: Could get expensive by Anonymous Coward · · Score: 0

      T-mobile isnt a provider in Europe, how do you expect them to fine the company?

    2. Re: Could get expensive by Anonymous Coward · · Score: 0

      You're talking about T-Mobile, the mobile arm of Deutsche Telekom, right? The one based in Germany?

    3. Re: Could get expensive by Anonymous Coward · · Score: 0

      Cool, maybe we can bankrupt every business. Life will be much better then right?

    4. Re:Could get expensive by JackieBrown · · Score: 1

      Exactly! Here's hoping this destroys T-Mobile and we can go back to having 2 carriers like government intended!

    5. Re:Could get expensive by freudigst · · Score: 1

      Europe(ans) could care less about what happens to the data of Americans in America.

  5. I have an idea! by ausekilis · · Score: 3, Insightful

    Lets create an un-advertised domain that is connected to the internet and allows full access to account information!
    Even better, lets make sure there's no authentication required!

    Seriously, why isn't this only on some T-Mobile intranet that is locked down to only those people with appropriate need-to-know and signed agreements?
    Most list-reader monkeys don't need access to anything more than my name and zip code. Billing may need stuff like bank accounts, but nobody really needs to maintain tax information. They aren't sending me a 1099 come January - mark a credit check as approved and a date, no need for more.

  6. Amateurs by Anonymous Coward · · Score: 0

    This is a TOTALY amateur mistake. Did they have high school script kiddies write their website?

    1. Re:Amateurs by DickBreath · · Score: 1

      Do you think they were hiring based on quality? Or based on cost? How cheap can we hire them for? Oh, look, this candidate looks like the cheapest of the pile.

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:Amateurs by Dracos · · Score: 1

      Account security is why I left T-Mobile in 2007. I'm not looking forward to being their customer again due to the Sprint merger.

  7. Not surprised by jetkust · · Score: 1

    I use T-Mobile's. Though the service works well, pretty much all of their client software is a train wreck, all their apps are unusable, and their customer service is like an episode of the twilight zone. If anything goes wrong, you're better off just creating a new account than trying to get it fixed.

  8. Could be worse by Anonymous Coward · · Score: 0

    Could have included account passwords. Hello Comcast.

    I would be willing to bet LDAP directories accessible publically of many universities are not much better.

    These are not bugs or oversights. People doing it must have known implications of their decision and yet they chose to go there anyway. They don't deserve mercy or a second chance.

  9. Because security through obscurity is cheaper by ZNetracer · · Score: 2

    Let's face it, security through obscurity is cheaper. Also, there's virtually no real, permanent or painful consequences for a large corporation that doesn't secure their customers data. More than likely, they're the only provider of a service that you need or the other guys do the same thing anyway. Perhaps you'll get a public mea culpa , a "we're sorry" add campaign in public media and one years worth of BS identity protection services. The truth is, they just don't care about your data, except for the money they can make off of it or the problems their lack of due diligence will cause you. BTW the Federal and State agencies are just as bad. In their case though it's largely because they don't have the money to fix the problems or they just don't want to spend it. In reality, it's buyer beware. Know who and what data you're giving away.

  10. What a load of crap by scdeimos · · Score: 2

    "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

    Really? By no evidence do you mean that no activity log files were created or stored? Because elsewhere in TFA it says:

    Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.

    1. Re: What a load of crap by Anonymous Coward · · Score: 0

      Bingo. I do incident response for a living, and Iâ(TM)ve been in numerous meetings where corporate lawyers wordsmith these legally-required breach disclosures. Yes, itâ(TM)s a breach, and yes, T-Mobile HAS to put statements such as these out... They arenâ(TM)t doing it out of the goodness of their hearts.

      The âNo evidence that customer info was accessedâ(TM) is a giant red flag that they had no logging. Critically, they arenâ(TM)t saying âWe have proof nothing happenedâ(TM), theyâ(TM)re saying âwe have no evidence of anything at allâ(TM).

  11. Need a New Word by Anonymous Coward · · Score: 2, Insightful

    This is not a bug. This is gross negligence of some kind and should be called that. A bug implies (to me, and most devs I know) a non-obvious defect in implementation. A mistake.

    This is like building a records office and putting it in the lobby of city hall in card board boxes. No one would call that a simple "mistake".

  12. Not a bug by JustAnotherOldGuy · · Score: 1

    This was not a "bug", this was just craptastic coding by some jackass developer.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  13. A bug or done on purpose? by Anonymous Coward · · Score: 0

    Why jump to conclusion this is a bug? Something like this seems a bit more on purpose then a accident.