BreachExchange mailing list archives
T-Mobile website bug let hackers steal data with a phone number
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 11 Oct 2017 08:34:35 -0500
https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/ Up until last week, a T-Mobile <https://www.engadget.com/2017/10/02/t-mobile-pulls-advertisement-claiming-fastest-network/> website had a serious security hole that let hackers access user's email addresses, accounts and a phone's IMSI network code, according to a report from *Motherboard* <https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number>. Attackers only needed your phone number to obtain the information, which could be used in social engineering attacks to commandeer your line, or worse. The security research who discovered the hole, Karan Saini from startup Secure7, notes that anyone could have run a script to scrape the data of all 76 million T-Mobile users and create a searchable database. "That would effectively be classified as a very critical data breach, making every T-mobile cell phone owner a victim," he told *Motherboard.* T-Mobile said in a statement that "we were alerted to an issue that we investigated and fully resolved in less than 24 hours. There is no indication that it was shared more broadly." Saini notes that T-Mobile offered him a $1,000 reward as part of its bug bounty program. However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't shared broadly, telling *Motherboard* that "a bunch of SIM swapping kids had [the hack] and used it for quite a while." They could have exploited the data to "socially engineer," or basically con, T-Mobile technicians into handing over replacement SIMs by pretending they're the owners of the line. *Motherboard* also discovered a YouTube video <https://www.youtube.com/watch?v=3_gd3a077RU> dated August 6th that describes exactly how to execute the hack. In fact, this is exactly what happened <https://techcrunch.com/2017/08/23/i-was-hacked/> to *Techcrunch* writer John Biggs on August 22nd. After impersonating him and obtaining a replacement for his T-Mobile SIM, a hacker was able to quickly change his Gmail, Facebook, and other passwords, even though they were protected by two-factor SMS authentication. It's impossible to say whether the security hole helped the hackers swindle hapless T-Mobile tech support employees into sending them replacement SIMs, but it certainly appears plausible. (Tech support folks are supposed to require security question responses, invoices and other information, but often hand over SIMs to smooth-talking hackers without it.) We've reached out to T-Mobile and the FCC to find out if there was an uptick in such attacks over the last few months.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- T-Mobile website bug let hackers steal data with a phone number Inga Goddijn (Oct 11)