A major flaw on the website of T-Mobile could have exposed personal data of more than 76 million of customers to hackers. And security experts say that all such information can be used in social engineering attacks to commandeer a user’s line or even worse.
The flaw was discovered by Karan Saini who works for a startup company called Secure7. He disclosed that the flaw or bug of the T-Mobile website could make anyone run a script to scrape the data of all the subscribers of the said mobile company subscriber to create a searchable database. And if such thing happens, then it can turn into a very critical data breach making every T-Mobile cell phone owner a victim.
T-Mobile released a media statement on this issue saying that it resolved the vulnerability by issuing a fix to the hack in a time frame of just 24 hours on Friday last week. The statement added the security experts of the company did not find any evidence of customer accounts being affected by the hack. Also, T-Mobile also rewarded Saini with $1000 as a part of its bug bounty program.
But early this morning, an anonymous hacker has disputed T-Mobile’s claim that the bug has been fixed. He argued that the data expose was available to the hackers for a long period of time, which could have been used to con T-Mobile technicians into handing over replacement SIMs by pretending to be the genuine owners.
The hacker’s twitter handle says that hackers who were armed with just a phone number were able to access sensitive info of T-Mobile subscribers which includes email addresses, account numbers and their Phone’s International Mobile Subscriber Identity(IMSI) which is used to identify a GSM subscriber on a global note.
Details on how to execute the hack are available on YouTube from August 6th, 2017 and it was posted before Saini could discover the flaw. Means hackers did have the access to T-mobile subscriber base for quite a long time and they could have used the info to con the customer support of T-Mobile to request for replacement SIMs.
