The bug discovered by the researcher Ryan Stevenson resides in the T-Mobile subdomain promotool.t-mobile.com used by the staff as a customer care portal to access the company’s internal tools.
The promotool.t-mobile.com subdomain contained a hidden API that would return customer data simply by invoking it with the customer’s cell phone number as a parameter.
The data leak was caused by the lack of any authentication mechanism for calling the API, in this way anyone could have had access to any customer record including full name, postal address, billing account number, and in some cases information about tax identification numbers.
The exposed records also included references to account PINs used by customers as a security question when they contact the customer case, this means that an attacker could use that information to impersonate a customer and take over its account.
“Although the API is understood to be used by T-Mobile staff to look up account details, it wasn’t protected with a password and could be easily used by anyone.” reported ZDnet.
“The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.”
Searching for the portal on the Wayback Machine we can verify that the subdomain is online at least since October.
Stevenson reported the flaw to the telco giant in early April, the company quickly disabled the API and awarded the researcher of $1,000 under its bug bounty program.
“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.” said T-Mobile spokesperson.
“The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.
This isn’t the first time that T-Mobile discovered such kind of issues, in October Motherboard reported another API accessible from a different T-Mobile subdomain.
In February, Motherboard journalist Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking reporting that T-Mobile customers were victims of an info disclosure exploit.
(Security Affairs – hacking, data leak)