T-Mobile Customer’s Details Targeted via API Bug
Last week, a bug disclosed and targeted by T-Mobile in a web-based application interface enabled users to request account details by just entering their phone number. The identification data of thedevice,emailaddress of thecustomer, the secret answers to security questions, and more such information can be availed.
This bug was fixed when Motherboard's Lorenzo Franceschi-Bicchierai contacted T-Mobile in context of an unidentified security identifier who was also targeted by others, offering them easy access to details that the hijackers can use to hit customer's accounts and switch them to new phones. It allows attackers to gain easy access to other accounts safeguarded by SMS-based authentication by just through their T-Mobile SIM card.
The flaw of the application's interface, the same being hosted on wsg.T-Mobile.com, had become so popular to cybercriminals that there has also been a tutorial created on YouTube for the same. This video shows the way to exploit the application, as reported by Franceschi-Bicchierai. According to the information provided to him by a source, the bug had been exploited in an attempt to conquer respective social media accounts.
As confirmed by Motherboard, this flaw was informed to T-Mobile by security expert Karan Saini. The API of T-Mobile wsg.t-mobile.com was misconfigured and could be disclosed directly with just the phone number. The API would then unveil all the information about the account data linked to that phone number, as stated on gearsofbiz.com on 12thOctober 2017.
Karan Saini is an expert security researcher and also the founder of startup Secure 7. He identified the issue last week and informed T-Mobile about the same. As a result, T-Mobile instantly fixed the bug and also offered Karan Saini a $1,000 bug reward.
In contrast to the findings told by T-Mobile to Motherboard, the bug affected only a smart portion of their customers. According to the report sent to Motherboard, T-Mobile confirmed that they were alerted to the issue and investigated as well as fully fixed it in less than 24 hours. There is no evidence of the bug shared more extensively.
There are no clear facts available regarding any help offered to hackers by swindle hapless T-mobile technical support for obtaining the information and providing them replacement SIMs, but still, there are few doubts. In order to justify their claim, the hackers sent their own account's data.
» SPAMfighter News - 10/25/2017