A bug disclosed and patched last week by T-Mobile in a Web application interface allowed anyone to query account information by simply providing a phone number. That includes customer e-mail addresses, device identification data, and even the answers to account security questions. The bug, which was patched after T-Mobile was contacted by Motherboard’s Lorenzo Franceschi-Bicchierai on behalf of an anonymous security researcher, was apparently also exploited by others, giving them access to information that could be used to hijack customers’ accounts and move them to new phones. Attackers could potentially gain access to other accounts protected by SMS-based “two factor” authentication simply by acquiring a T-Mobile SIM card.
The weakness of the application interface in question, which hosted on wsg.T-Mobile.com, had become so well known to cybercriminals that someone even created a tutorial video on YouTube showing how to exploit it, as Franceschi-Bicchierai reported. One source told him that the bug had been used in attempts to take over “desirable social media accounts.”
To hijack a targeted individual’s social media accounts and other communications linked to a particular phone number, attackers first used the vulnerable API to pull essential account data from T-Mobile’s systems. Attackers could then use that data to call into T-Mobile customer support while posing as the customer and convince the support team to send them a replacement SIM card for their device. Using the new SIM, they could take over the phone service of the targeted number and reset the targeted social media and other accounts that used the phone for two-factor authentication or account recovery by SMS message.
T-Mobile customers were already breach victims as the result of the hacking of credit reporting agency Experian. As Reuters reported October 1, data on 15 million people who applied for T-Mobile accounts or to purchase new devices through the company over the last two years were exposed as part of the Experian breach. But a T-Mobile spokesperson told Motherboard that the company had found no evidence that the vulnerability in the website had affected any customer accounts.
- [LLODO] Capitol Police ‘understaffed, insufficiently equipped’ to handle violent mob: Lt. Gen. Honoré review
- [LLODO] Supreme Court rejects case over ‘qualified immunity’ for police
- [LLODO] Charges permanently dropped against Breonna Taylor’s boyfriend for shooting officer the night she was killed
- [LLODO] ‘Scary to watch’: Minneapolis business owners on edge over possible repeat of riots
- [LLODO] Ohio school district to require double-masking based on CDC guidance
- [LLODO] Ethics Watchdogs hit Democratic Rep. Malinowski for undisclosed stock trades
- [LLODO] New York Times editorial board silent on Cuomo allegations after fixating on Kavanaugh claims
- [LLODO] Publisher reportedly halts promotion of Andrew Cuomo’s COVID book, ‘no plans’ for paperback edition