According to ZDNet, which first reported on the website bug, anyone could add a T-Mobile customer’s phone number to the end or the website address after which they would gain access to a treasure trove of information. Personal customer details such as full name, address, account number, account PIN and tax identification number (in certain instances) were all made visible.
Most wireless carriers allow you set a PIN for your account as an added security measure. When you call in to customer support (i.e. to resolve an account issue), you give that PIN to the CSR so that they can pull up your full account details. If you have all of a person's identifiable account information along with their PIN, your ability to hijack their account increases dramatically.
This exploit is strikingly similar to one that we reported on last year, which also involved gaining access to a T-Mobile subdomain. That particular breach gave hackers access to email addresses, customer names, account numbers and a phone's IMSI number (a unique code which identifies a phone on a network).
Interestingly enough, the person that uncovered the newest bug received just $1,000 for their troubles as part of T-Mobile's bug bounty program. We don't know about you, but the reward for finding a bug that could affect roughly 75 million customers seems a bit stingy, but we digress.
"The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure, said a T-Mobile representative in a statement to ZDNet. "The bug was patched as soon as possible and we have no evidence that any customer information was accessed."
T-Mobile is currently in the process of trying to seal a deal to merge with Sprint which would create a strong third-place U.S. wireless carrier to better compete with first-place Verizon Wireless and second-place AT&T.