T-Mobile flaw let anyone access user info with only a phone number
An exposed online interface for T-Mobile let anyone access user info knowing only a phone number.
The details: Researcher Ryan Stevenson notified T-Mobile of the bug in April, and the wireless carrier took down the problematic service the next day. The bug was first reported on by ZDNet.
- Until it was taken down, T-Mobile had an active online tool for its computer programmers to connect its employees to the customer database, known as an API.
- The API delivered information including address, PIN, account number and, on some accounts, tax identification number.
- Researchers found a separate, similar T-Mobile bug in October.
A representative confirmed that T-Mobile investigated the flaw but found no sign any data had actually been stolen.