Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

A security vulnerability in T-Mobile's website let anyone gain access to the personal details of any T-Mobile customer using just a phone number, reports ZDNet.

An internal T-Mobile employee tool, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phone number was added to the end of the web address. Data that was available included full name, address, billing account number, and for some customers, tax identification numbers.

tmobile logo
Account data, such as service status and billing status was also included, but it does not appear that credit card numbers, passwords, or other sensitive information was compromised. ZDNet says that there were "references to account PINs used by customers as a security question" which could be used to hijack T-Mobile accounts.

The API was used by T-Mobile staff to look up customer data, but it was accessible to the public and not protected by a password. T-Mobile rectified the issue in early April after it was disclosed by security researcher Ryan Stevenson, who ultimately earned $1,000.

In a statement provided to ZDNet, T-Mobile says that it does not appear customer data was accessed using the API, but research suggests the API had been exposed since at least October 2017.

A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure." "The bug was patched as soon as possible and we have no evidence that any customer information was accessed," the spokesperson added.

This is not the first unprotected API issue that T-Mobile has faced. Last year, a similar bug also exposed customer data to hackers.

T-Mobile has more than 74 million customers, and had this most recent bug been exploited, a simple script could have provided hackers with access to data on millions of people.

Top Rated Comments

dhess34 Avatar
41 months ago
Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.
Score: 19 Votes (Like | Disagree)
profets Avatar
41 months ago
Makes me think back to this conversation with TMobile on Twitter about the passwords being stored in plaintext (though it was TMO Austria).

https://twitter.com/tmobileat/status/981418339653300224

“Our security is amazingly good” LOL



Attachment Image
Score: 16 Votes (Like | Disagree)
Analog Kid Avatar
41 months ago
Until we start punishing these stupid mistakes with penalties that actually hurt, this is just going to happen over and over...
Score: 15 Votes (Like | Disagree)
PlainviewX Avatar
41 months ago
Only $1000 for a catastrophic possible breach discovery? That's like getting paid $45 in a contest that was used as the Mets logo.
Score: 9 Votes (Like | Disagree)
FlipPhony Avatar
41 months ago
#uncarrier #unsafe #uncool
Score: 2 Votes (Like | Disagree)
justperry Avatar
41 months ago
#uncarrier #unsafe #uncool
Doesn't that apply to most big providers in the USA.:rolleyes:
The other big ones have their own "issues".
Score: 2 Votes (Like | Disagree)

Top Stories

Pro Display XDR Yella

Apple Working on External Display With Built-In A13 Chip

Friday July 23, 2021 9:37 am PDT by
Apple is developing an external display that includes an A13 chip with Neural Engine, according to a new rumor from 9to5Mac. The A13 chip with Neural Engine would presumably serve as an eGPU, though details are light at this time. Having a CPU/GPU built into the external display could help Macs deliver high-resolution graphics without using all the resources of the computer's internal chip....
maxresdefault

Apple Music to Livestream Premiere of Kanye West's New Album 'Donda' on Thursday

Wednesday July 21, 2021 1:49 am PDT by
Apple Music on Thursday will host a global livestream for the premiere of Kanye West's tenth studio album, titled "Donda." The sold-out event will take place at the Mercedes-Benz Stadium in Atlanta, Georgia, and Apple Music's livestream will start at 8:00 p.m. Eastern Time. The livestream was revealed in a Beats Studio Buds ad that aired during the NBA Finals. The ad features U.S. track...
airpods 3 gizmochina Feature

AirPods 3 Rumored to Launch Alongside iPhone 13 at Expected September Event

Friday July 23, 2021 12:54 am PDT by
The third-generation AirPods will likely launch at the same event revealing Apple's upcoming iPhone 13 lineup, according to a report from DigiTimes, which makes the claim citing sources familiar with the matter. The report as a whole echoes previous reporting that production of the third-generation AirPods will kickstart in August, meaning a launch shortly after can be easily expected. DigiTi...
idos 2 app ios

Apple to Pull 'iDOS 2' DOS Emulator From App Store

Thursday July 22, 2021 3:22 pm PDT by
iDOS 2, an app designed to allow users to play classic DOS games, will soon be pulled from the App Store, the app's creator said today. According to iDOS developer Chaoji Li, he tried to submit an iDOS update with bug fixes to the App Store, but was told that the update was rejected because it violated the 2.5.2 App Store guideline that says apps cannot install or launch executable code.Durin...
iPad mini pro feature

Next iPad Mini Won't Feature Mini-LED Display, Claims Display Analyst

Friday July 23, 2021 8:07 am PDT by
Yesterday, DigiTimes claimed that the upcoming iPad mini will feature a mini-LED display, but now, display analyst Ross Young is going at odds with that report, claiming that while the updated iPad mini continues to be on track for a release this year, it won't feature a mini-LED display. Young says he "confirmed" with Radiant Opto-Electronics, who DigiTimes claims would provide Apple with...
AirPods Pro Beta Firmware

AirPods Pro Beta Firmware Now Available

Wednesday July 21, 2021 6:50 am PDT by
Upcoming AirPods Pro firmware updates are now available to Apple Developer Program members as beta versions. AirPods Pro firmware beta one features FaceTime Spatial Audio and Ambient Noise Reduction. Custom Transparency mode, including Conversation Boost, was initially expected to be included in the beta but appears to have been delayed for a later version. Apple made the announcement...
iPad mini pro feature

Next-Generation iPad Mini Will Reportedly Feature a Mini-LED Display

Thursday July 22, 2021 9:03 am PDT by
Apple is widely rumored to be planning a new iPad mini with a significant redesign, including a larger 8.5-inch to 9-inch display with slimmer bezels, a Touch ID power button instead of a home button, a USB-C port instead of a Lightning connector, and more. According to a paywalled preview of a DigiTimes report today, the sixth-generation iPad mini will also feature a mini-LED display:BLU...
discount m1 macbook yellow

Deals: Shop Record Low Prices Across Apple's Full MacBook Pro and MacBook Air Lineup (Up to $499 Off)

Friday July 23, 2021 8:23 am PDT by
Apple's MacBook Pro and MacBook Air lineup is seeing all-time low discounts across the board today, including the 2019 16-inch MacBook Pro, 2020 13-inch MacBook Air, and 2020 13-inch MacBook Pro. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. 13-Inch M1...
ios wifi settings

Apple Confirms iOS 14.7 Fixes WiFi Bug and Many Other Vulnerabilities

Wednesday July 21, 2021 11:38 am PDT by
Following the release of iPadOS 14.7 this morning, Apple has shared details on the security updates that are included in iOS 14.7, iPadOS 14.7, macOS Big Sur 11.5, watchOS 7.6, and tvOS 14.7, all of which came out this week. Notably, Apple's documentation confirms that the iOS 14.7 and iPadOS 14.7 updates address a WiFi-related vulnerability that could impact iOS devices when joining a...
macOS Big Sur Feature Orange

Apple Releases macOS Big Sur 11.5 With Podcast App Updates and Bug Fixes

Wednesday July 21, 2021 10:15 am PDT by
Apple today released macOS Big Sur 11.5, the fifth major update to the macOS Big Sur operating system that launched in November 2020. macOS Big Sur 11.5 comes two months after the release of macOS Big Sur 11.4. The new ‌‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. macOS Big Sur...