It seems up until last week the T-Mobile website was suffering from a vulnerability that allowed any individual to gain the customer information of another individual simply by knowing the customer’s phone number. The information on this comes from a report out of Motherboard which in turn credits Karan Saini of Secure7 for the details and as the person who first identified the issue.
According to those details, customer information including customer email addresses, their name, their billing account number, their IMSI number, as well as pretty much all the same details for additional members on the main user’s account, were accessible just by using the customer’s phone number. While this evidently suggests that anyone who knows someone else’s phone number could find out all of their personal details, the more worrying issue is that attackers could find out all of this information on a random individual by inputting random phone numbers. According to the comments attributed to Saini, all an attacker would have had to do was query a phone number and the wsg.t-mobile.com API would automatically return all of the mentioned customer details. More worryingly, a script could theoretically have been put together to scrape the customer information on a significantly large number of T-Mobile’s customer base. With Saini suggesting the data of T-Mobile’s entire “76 million customers” could have been at risk.
In either case, and in spite of this issue only having now come to light, it also seems to be one that has been fixed. As following T-Mobile being made aware of the bug by Saini, the company confirmed that the issue was fixed within 24 hours of being first notified. In addition T-Mobile also downplayed the suggested potential impact of this issue by stating that it was an issue which only affected a small number of its customers. While also adding that there is no reason to assume there was any compromise of customer data due to the issue. Of course, T-Mobile is not the only carrier who has been affected by privacy concerns of late, as along with the many other data breaches that have been reported on this year, Verizon also suffered from one, with the company also confirming that in spite of the possibility of a data breach, no customers were affected.