26 May T-Mobile Bug Allowed Customer Account Info Access to the Public
It was reported earlier this week that a flaw in the T-Mobile’s website could have allowed anyone to look up the personal account details of customers just by using a cellphone number.
The bug was found in one of T-Mobile’s subdomain which staff use to access internal tools. However, the subdomain, which was searchable to the public, had a hidden API that would show customer data when the customer’s cell phone number was added to the end of the web address.
Using the unsecured API, anyone could look up full name, postal address, billing account number, and even tax identification numbers. T-Mobile said that it had already fixed the issue and awarded the security researcher $1000 for discovering the vulnerability.