Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

A security vulnerability in T-Mobile's website let anyone gain access to the personal details of any T-Mobile customer using just a phone number, reports ZDNet.

An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address. Data that was available included full name, address, billing account number, and for some customers, tax identification numbers.


Account data, such as service status and billing status was also included, but it does not appear that credit card numbers, passwords, or other sensitive information was compromised. ZDNet says that there were "references to account PINs used by customers as a security question" which could be used to hijack T-Mobile accounts.

The API was used by T-Mobile staff to look up customer data, but it was accessible to the public and not protected by a password. T-Mobile rectified the issue in early April after it was disclosed by security researcher Ryan Stevenson, who ultimately earned $1,000.

In a statement provided to ZDNet, T-Mobile says that it does not appear customer data was accessed using the API, but research suggests the API had been exposed since at least October 2017.

A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure." "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

This is not the first unprotected API issue that T-Mobile has faced. Last year, a similar bug also exposed customer data to hackers.

T-Mobile has more than 74 million customers, and had this most recent bug been exploited, a simple script could have provided hackers with access to data on millions of people.