T-Mobile customer data plundered thanks to bad API

T-Mobile missed bug that allowed harvesting of IMSI numbers, security question answers.

The weakness of the application interface in question, which hosted on wsg.T-Mobile.com, had become so well known to cybercriminals that someone even created a tutorial video on YouTube showing how to exploit it, as Franceschi-Bicchierai reported. One source told him that the bug had been used in attempts to take over “desirable social media accounts.”

To hijack a targeted individual’s social media accounts and other communications linked to a particular phone number, attackers first used the vulnerable API to pull essential account data from T-Mobile’s systems. Attackers could then use that data to call into T-Mobile customer support while posing as the customer and convince the support team to send them a replacement SIM card for their device. Using the new SIM, they could take over the phone service of the targeted number and reset the targeted social media and other accounts that used the phone for two-factor authentication or account recovery by SMS message.

T-Mobile customers were already breach victims as the result of the hacking of credit reporting agency Experian. As Reuters reported on October 1, data on 15 million people who applied for T-Mobile accounts or to purchase new devices through the company over the last two years were exposed as part of the Experian breach. But a T-Mobile spokesperson told Motherboard that the company had found no evidence that the vulnerability in the website had affected any customer accounts.