T-Mobile Customer’s Details Targeted via API Bug


Last week, a bug disclosed and targeted by T-Mobile in a web-based application interface enabled users to request account details by just entering their phone number. The identification data of thedevice,emailaddress of thecustomer, the secret answers to security questions, and more such information can be availed.


This bug was fixed when Motherboard's Lorenzo Franceschi-Bicchierai contacted T-Mobile in context of an unidentified security identifier who was also targeted by others, offering them easy access to details that the hijackers can use to hit customer's accounts and switch them to new phones. It allows attackers to gain easy access to other accounts safeguarded by SMS-based authentication by just through their T-Mobile SIM card.


The flaw of the application's interface, the same being hosted on wsg.T-Mobile.com, had become so popular to cybercriminals that there has also been a tutorial created on YouTube for the same. This video shows the way to exploit the application, as reported by Franceschi-Bicchierai. According to the information provided to him by a source, the bug had been exploited in an attempt to conquer respective social media accounts.


As confirmed by Motherboard, this flaw was informed to T-Mobile by security expert Karan Saini. The API of T-Mobile wsg.t-mobile.com was misconfigured and could be disclosed directly with just the phone number. The API would then unveil all the information about the account data linked to that phone number, as stated on gearsofbiz.com on 12thOctober 2017.


Karan Saini is an expert security researcher and also the founder of startup Secure 7. He identified the issue last week and informed T-Mobile about the same. As a result, T-Mobile instantly fixed the bug and also offered Karan Saini a $1,000 bug reward.


In contrast to the findings told by T-Mobile to Motherboard, the bug affected only a smart portion of their customers. According to the report sent to Motherboard, T-Mobile confirmed that they were alerted to the issue and investigated as well as fully fixed it in less than 24 hours. There is no evidence of the bug shared more extensively.


There are no clear facts available regarding any help offered to hackers by swindle hapless T-mobile technical support for obtaining the information and providing them replacement SIMs, but still, there are few doubts. In order to justify their claim, the hackers sent their own account's data.

» SPAMfighter News - 25-10-2017

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next