The unprotected T-Mobile API allows anye to obtain customer data with just a phe number

A security breach the T-Mobile website allows anye to access the persal data of any T-Mobile customer by simply using a telephe number, reports ZDNet .

An internal tool for T-Mobile employees, promotool.t-mobile.com, had a hidden API that provided T-Mobile customer data when a customer's cell phe number was added to the end of the web address. The available data included the full name, address, billing account number and, for some customers, tax identificati numbers.


Account data, such as service status and billing status, were also included, but it does not appear that credit card numbers, passwords or d & # 39; Other sensitive information has been compromised. ZDNet says that there were "references to PINs of accounts used by customers as a security issue" that could be used to hijack T-Mobile accounts.

The API was used by T-Mobile persnel to search client data, but it was publicly accessible and not password protected. T-Mobile rectified the situati in early April after being unveiled by security researcher Ryan Stevens, who ultimately w $ 1,000.

In a statement provided to ZDNet T-Mobile states that it does not appear that customer data was accessed using the API, but searches suggest that the API had been display since at least October 2017.

A T-Mobile spokespers said, "The bug bus program exists so that researchers can alert us to vulnerabilities, that has happened here, and we support this type of respsible and coordinated disclosure. " "The bug was …

We will be happy to hear your thoughts

      Leave a Reply

      AppleiPhonestop - Apple iPhone News and Rumours All Day
      Logo
      Enable registration in settings - general
      Compare items
      • Laptops (0)
      Compare
      0