T-Mobile Bug Revealed Email Address, Name, and More

John Lister's picture

T-Mobile has fixed a bug that let hackers get sensitive personal data just by using a phone number. In theory, it could have been possible to collect details on all the company's customers, though T-Mobile denies this.

The problem was discovered by Karan Saini, a security researcher who discussed the problem with the Motherboard Vice website. The site then approached T-Mobile about the problem. It said "we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly." (Source: vice.com)

The bug had to do with T-Mobile's database being used alongside a service called "My Digits", which lets T-Mobile customers use the same number for multiple handsets and devices. It's not clear if the database covered only My Digits users, or all T-Mobile customers.

SIM Card Number Revealed

Normally, someone using the site would provide their login details and the site would then query the database using their T-Mobile ID. However, Saini discovered that anyone visiting the site could instead query the database themselves using a phone number rather than an ID.

If this phone number was for a T-Mobile account, the database would return details including the user's first name, email address and the IMSI number that identifies the SIM card in the phone - which in turn links the SIM card to the account.

The good news is that there's no easy way to make money using stolen IMSI data. However, it could theoretically be used to track a user's location or intercept messages, thanks to other bugs in cellphone networks. That means the T-Mobile bug could be useful for people trying to carry out specifically targeted attacks on individuals.

Saini tested the bug with eight genuine T-Mobile phone numbers, with the permission of the phone owners concerned. However, he believes it would have been possible to automate the process and simply try every possible phone number and thus retrieve the data for every user. (Source: secure7.com)

Hackers 'Exploited Bug'

Saini adds that since T-Mobile fixed the problem, it's now become clear that some hackers were actively exploiting the bug. He says it appears hackers were also able to get additional details including the customer's password (in encrypted form) and security question answers.

Saini says the most likely explanation is that these hackers were able to exploit the same problem with a different section of the database. One concern there is that it might provide enough information to effectively steal a user's phone number by falsely reporting a handset as lost or stolen, then requesting a replacement SIM.

What's Your Opinion?

Are you surprised that such a basic bug existed? Should companies protect public databases by limiting how often a particular user can query them? Would you change companies over a security breach and if so, how serious would the breach have to be?

Rate this article: 
Average: 5 (2 votes)


Dennis Faas's picture

To have a company display that much information based on entering a phone number is crazy. The data should have at least been partially redacted to make it much more difficult for 'hackers' to make heads or tails of the data they were receiving.

That said, it is easy enough to prevent brute force / automated attacks from occurring in the first place. As long as the logins are logged, companies can use something like 'fail2ban' to scan logs for successive tries and failures, depending on IP address and ban offending IPs. We already have something like this in place on this website.

Another idea is to use a CAPTCHA at the login page, as this would also prevent attacks from hundreds of IPs requesting data (similar to a denial of service attack). If that CAPTCHA is incorrect, the login attempt fails.