A T-Mobile USA website subdomain easily allowed anyone with a customer’s phone number to obtain personal information about them.
According to ZDNet, promotool.t-mobile.com was an employee tool easily accessible through search engines and was not protected by a password. Employees did specific look-ups by adding the customer’s cellphone number to the end of the address.
What was revealed was the customer’s full name, billing address and account numbers with tax information for some customers, account PINs for access to privileged account actions — such as canceling an account or changing personal details — and details of any overdue bills or service suspensions.
The subdomain was pulled offline after bug hunter Ryan Stevenson reported the vulnerability to the company in April for a $1,000 bounty. However, it’s not clear how long the URL was live — the Internet Archive has logged a copy of the page from last October.
T-Mobile issued a statement, a portion of which reads:
The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure […] The bug was patched as soon as possible and we have no evidence that any customer information was accessed.
A similar exploit on T-Mobile’s site — also allowing access to personal information with just a phone number — was uncovered in October by Motherboard. It was independently verified that data was being taken through this method for weeks. The company’s prepaid subsidiary, MetroPCS, has also been subject to the same number entry exploit for its website in November 2015.