"It's your data. Keep it," says T-Mobile's store in Times Square, New York City. Except when the company is leaking it. (Image: file photo)
A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number.
The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com[1], which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.
Although the API is understood to be used by T-Mobile staff to look up account details, it wasn't protected with a password and could be easily used by anyone.
The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.
The data also included references to account PINs used by customers as a security question when contacting phone support. Anyone could use that information to hijack accounts.
T-Mobile pulled the API offline a day after it was reported in early April by security researcher Ryan Stevenson, who was later awarded $1,000 in a bug bounty.
Stevenson sent ZDNet several screenshots of customer data returned from the working API.
A T-Mobile spokesperson said: "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type