The bug exposed customers’ email addresses, their billing account numbers, and the phone’s IMSI numbers. T-Mobile has patched the bug.
Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.
The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew—or guessed—your phone number to obtain data that could’ve been used for social engineering attacks, or perhaps even to hijack victim’s numbers.
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini, who is the founder of startup Secure7, told Motherboard in an online chat.
“That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” he added.
There was no mechanism to prevent someone from writing a script and automatically retrieving everyone’s account details abusing this bug, according to Saini. An attack like that would be similar to what Andrew Auernheimer, also known by his hacker moniker Weev, did when he obtained the email addresses of 114,000 iPad users thanks to a bug on an AT&T site. That hack eventually sent Auernheimer to jail for a year. In November of 2015, other researchers found a similar bug in a MetroPCS website, helping the company fix it.
Saini explained that the bug was within the wsg.t-mobile.com API. The researcher found that he could query for someone else’s phone number and the API would simply send back a response containing the other person’s data.
Contrary to Saini’s findings, T-Mobile told Motherboard the issue impacted only a small part of their customers. In a statement sent to Motherboard, the company said that “we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly.”
“We appreciate responsible reporting of bugs through our Bug Bounty program to protect our customers and encourage researchers to contact us at: email@example.com, firstname.lastname@example.org, email@example.com,” a spokesperson said in an email.
Karsten Nohl, a cybersecurity researcher who has done work studying cellphone security, told Motherboard that, theoretically, by knowing someone’s IMSI number, hackers or criminals could track a victim’s locations, intercept calls and SMS, or conduct fraud by taking advantage of flaws in the SS7 network, a backbone communications network that is notoriously insecure. Still, Nohl added that “there is no obvious way to make money easily with just an IMSI,” so it’s hard to tell whether such an attack would be attractive to cybercriminals.
According to Saini, T-Mobile thanked him and offered a reward of $1,000 as part of its bug bounty program, which rewards friendly hackers who find and alert the company of vulnerabilities.
UPDATE, Oct. 10, 5:14 p.m. ET: After this story was published, a blackhat hacker who asked to remain anonymous warned Motherboard that the recently patched bug had been found and exploited by other malicious hackers in the last few weeks.
“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.
To prove their claim, the hacker sent me my own account’s data.
We reached out to T-Mobile to ask about these claims.