Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.
The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew—or guessed—your phone number to obtain data that could’ve been used for social engineering attacks, or perhaps even to hijack victim’s numbers.
“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini, who is the founder of startup Secure7, told Motherboard in an online chat.
“That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” he added.
Read more: The Motherboard Guide To Not Getting Hacked
Saini said there was no mechanism to prevent someone from writing a script and automatically retrieving everyone’s account details abusing this bug. An attack like that would be similar to what Andrew Auernheimer, also known by his hacker moniker Weev, did when he obtained the email addresses of 114,000 iPad users thanks to a bug on an AT&T site. That hack eventually sent Auernheimer to jail for a year. In November of 2015, other researchers found a similar bug in a MetroPCS website, helping the company fix it.
Contrary to Saini’s findings, T-Mobile told Motherboard the issue impacted only a small part of their customers. In a statement sent to Motherboard, the company said that “we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly.”
“We appreciate responsible reporting of bugs through our Bug Bounty program to protect our customers and encourage researchers to contact us at: [email protected], [email protected], [email protected],” a spokesperson said in an email.
Karsten Nohl, a cybersecurity researcher who has done work studying cellphone security, told Motherboard that, theoretically, by knowing someone’s IMSI number, hackers or criminals could track a victim’s locations, intercept calls and SMS, or conduct fraud by taking advantage of flaws in the SS7 network, a backbone communications network that is notoriously insecure. Still, Nohl added that “there is no obvious way to make money easily with just an IMSI,” so it’s hard to tell whether such an attack would be attractive to cybercriminals.
According to Saini, T-Mobile thanked him and offered a reward of $1,000 as part of its bug bounty program, which rewards friendly hackers who find and alert the company of vulnerabilities.
There is no evidence that malicious hackers found and exploited this vulnerability before it was fixed.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Powered by WPeMatico