T-Mobile Bug Let Anyone See Any Customer's Account Details

An anonymous reader writes: A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number, ZDNet reported Thursday. The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone. The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

I have an idea!

[ausekilis]

Lets create an un-advertised domain that is connected to the internet and allows full access to account information!
Even better, lets make sure there's no authentication required!

Seriously, why isn't this only on some T-Mobile intranet that is locked down to only those people with appropriate need-to-know and signed agreements?
Most list-reader monkeys don't need access to anything more than my name and zip code. Billing may need stuff like bank accounts, but nobody really needs to maintain tax information. They aren't sending me a 1099 come January - mark a credit check as approved and a date, no need for more.

Re:use pre paid

[KiloByte]

and there's no personal information stored outside of payment information

There are many ways to top-up a pre-paid plan without a card. On the other hand, the "no personal information" thing is why in countries with a Nazi government (such as our current National-Socialist-Theocrat govt in Poland), you have to register your SIM card with the government, and trying to randomize/change the IMEI gets punished harsher than a rape.

Because security through obscurity is cheaper

[ZNetracer]

Let's face it, security through obscurity is cheaper. Also, there's virtually no real, permanent or painful consequences for a large corporation that doesn't secure their customers data. More than likely, they're the only provider of a service that you need or the other guys do the same thing anyway. Perhaps you'll get a public mea culpa , a "we're sorry" add campaign in public media and one years worth of BS identity protection services. The truth is, they just don't care about your data, except for the money they can make off of it or the problems their lack of due diligence will cause you. BTW the Federal and State agencies are just as bad. In their case though it's largely because they don't have the money to fix the problems or they just don't want to spend it. In reality, it's buyer beware. Know who and what data you're giving away.

What a load of crap

[scdeimos]

"The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

Really? By no evidence do you mean that no activity log files were created or stored? Because elsewhere in TFA it says:

Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.

Need a New Word

This is not a bug. This is gross negligence of some kind and should be called that. A bug implies (to me, and most devs I know) a non-obvious defect in implementation. A mistake.

This is like building a records office and putting it in the lobby of city hall in card board boxes. No one would call that a simple "mistake".