Published On: Wed, Oct 11th, 2017

76 Million T-Mobile Subscribers’ Data Potentially Exposed as Blackhat Hackers Exploited a Website Bug for Months

A confidence disadvantage in T-Mobile website might have leaked sum of its 76 million users. Discovered by confidence researcher, Karan Saini, the bug was in a wsg.t-mobile.com API, where he saw that querying for someone else’s phone series would outcome in a API promulgation behind a response containing their data. This information enclosed user’s email address, IMSI network code, billing comment number, and more. Hackers who knew or guessed a user’s phone series could have simply stolen information for phishing attacks and even hijacking a series itself, regulating it for some-more sinful reasons.

“T-Mobile has 76 million customers, and an assailant could have ran a book to scratch a information (email, name, billing comment number, IMSI number, other numbers underneath a same comment that are customarily family members) from all 76 million of these business to emanate a searchable database with accurate and present information of all users,” Saini told Motherboard.

disqusRelated No Friday Night Without Drama! Disqus Gets Hacked, Exposing 17.5 Million Users

“That would effectively be personal as a really vicious information breach, creation each T-Mobile dungeon phone owners a victim.”

With Equifax information crack still sneaking in everyone’s mind and Accenture’s insane confidence protections usually carrying come to light this week, this is nonetheless another intensity mega breach, where hackers didn’t even need to crack into T-Mobile’s network as all was accessible to them interjection to a confidence bug.

Massive bug unprotected T-Mobile subscribers’ comment information to anyone who had (or guessed) your phone number

Saini reports that after he contacted a telecom giant, a association patched a confidence bug, observant that usually a tiny apportionment of a subscribers were vulnerable. It also pronounced that “there is no denote that it was common some-more broadly.”

Turns out that Blackhat hackers were wakeful of this smirch for months and potentially used it to scratch information of millions of users. They had also uploaded a video about it assisting others on how to feat it approach before Saini detected and got it fixed. In response to a strange Motherboard report, a blackhat hacker contacted a announcement divulgence that a bug was famous and exploited for “quite a while.”

apple-disney-rumours-03-marvel-netflixRelated Love Netflix? T-Mobile Is Giving Away Free Netflix Subscription With ‘Netflix On Us’ Promo

“A garland of sim swapping skids had a [vulnerability] and used it for utterly a while,” a hacker told me, referring to a rapist use of holding over phone numbers by requesting new SIM cards impersonating a legitimate owners by socially engineering support technicians.

If exploited, a information could be used to burlesque legitimate T-Mobile subscribers, gaining entrance to their online and banking accounts that are cumulative with two-factor SMS formed authentication. In fact, a same already happened to TechCrunch writer, John Biggs, who had reported in Aug that hackers had performed a deputy for his T-Mobile SIM and managed to take over all his accounts that were stable by two-factor authentication. The hacker had afterwards used a information from his Messenger and other accounts to strech out to his friends seeking for bitcoins to save Biggs’ father’s life. The exploits, in short, are copiousness once phone information is accessible to criminals.

However, following a marks of Equifax and Accenture, T-Mobile also continues to advise that it has found no justification of any “customer accounts influenced as a outcome of this vulnerability.”

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>