T-Mobile Online Tool Let Anyone Get Customer Info With a Phone Number

T-Mobile Online Tool Let Anyone Get Customer Info With a Phone Number

For many of us, our smartphones are not just a way of communicating with the world. They contain sensitive data and can serve as a key to important online accounts. According to security researcher Ryan Stevenson, T-Mobile wasn’t taking account security very seriously. It left a subdomain accessible on the open internet that would provide customer details to anyone who had your phone number. The hole has been patched now, but the site may have been used to hijack accounts.

The domain in question is promotool.t-mobile.com, which is not listed anyplace on the T-Mobile website. However, it’s easy to dredge up in a Google search. The page used to host an unrestricted API that provided access to user account information. You could enter a phone number and get back almost all of the account details associated with it.

The returned data included the customer’s full name, mailing address, account number, and in some instances even part of the tax ID or social security number. The account status was also reported on this page, including notes on past due payments and account suspensions. In some instances, the data also had account PINs and security questions that customers would need to verify their identities with support. With all this data, it would be trivially easy for someone to hijack accounts. There was so much information, someone could even use it to gain access to other online accounts. Think about how often you are asked to verify with an address or the last few digits of your social security number.

The updated page now asks for a login.
The updated page now asks for a login.

Why would something like this even exist? The promotool site is supposed to be for internal customer support rep use only. But the site didn’t require an account login, and it was accessible from outside of T-Mobile’s corporate network. After Stevenson reported the issue, T-Mobile took steps to close down the rogue API and lock down the web page. If you visit the promotool page now, it demands login credentials.

Stevenson was paid a $1,000 bug bounty for reporting the error, and that’s a deal for T-Mobile. The carrier has struggled to address SIM hijacking and port out scams that allow attackers to steal subscriber phone numbers. This can allow the attackers to retrieve two-factor authentication codes via SMS and break into important online accounts. This web portal may well have helped make those attacks more common. You should still take security measures like adding number porting restrictions to your account, though. There could be more vulnerabilities lurking in T-Mobile’s system.

Continue reading

Report: LG Can’t Find Anyone to Buy Its Smartphone Business
Report: LG Can’t Find Anyone to Buy Its Smartphone Business

LG has been trying to turn its mobile unit around for the last several years, but it has yet to pull out of the red. In early 2021, rumors suggested LG was looking to sell off its smartphone business. Now, a new South Korean report says LG has tried and failed to find a suitor, and the next step might just be to shut down the division entirely.

Razer Synapse Bug Gives Windows Admin Access to Anyone Who Can Plug in a Mouse
Razer Synapse Bug Gives Windows Admin Access to Anyone Who Can Plug in a Mouse

You might want to keep an eye on your USB ports for the next few days. A security researcher has disclosed a disturbingly easy way to gain admin privileges in Windows 10 without a password, and for once, it's not Microsoft's fault.

Gigantic Solar Flare Carves a ‘Canyon of Fire’ Into the Sun
Gigantic Solar Flare Carves a ‘Canyon of Fire’ Into the Sun

Recent solar activity tore a 12,000 mile deep canyon into the Sun.

Tech CEOs: What If Workers Had a Permanent, Public Performance Report Anyone Could See?
Tech CEOs: What If Workers Had a Permanent, Public Performance Report Anyone Could See?

Unexplored biases and poorly-designed applicant tracking systems already complicate job acquisition enough. Will an employment report card really solve that problem?