T-Mobile API bug may have leaked customer account data

News by Robert Abel

A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.

A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.

The flaw only required an attacker to know or guess a victim's phone number to grant access to information including billing account numbers, email addresses, and phone IMSI.

The vulnerability was discovered by Secure7 Founder Karan Saini who told Vice's Motherboard that an attacker could have had access to the information of all 76 million customers.

"That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," Saini said. T-Mobile denied the claims and told the publication the issue only affected a small number of customers.

Saini was offered a £760 (US$ 1,000) reward for his discovery as part of the cellular provider's bug bounty programme.  An anonymous hacker claims the bug was exploited in the last few weeks and has posted a tutorial of the exploit on YouTube and even reportedly sent the Vice reporter their own account information obtained via the exploit. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike