Another T-Mobile bug gave anyone access to your sensitive info
It's gone now, but it was very similar to a bug discovered on another T-Mobile subdomain in 2017.
A security researcher recently discovered a bug on T-Mobile's website that allowed anyone to access subscribers' personal details. Those include users' full names, addresses and, in some cases, even their tax details and the PIN they nominated for customer support verification. It was pretty much identical to the bug T-Mobile patched back in 2017 -- the only difference is that the newed bug affected another subdomain. According to ZDNet, the more recent flaw was found on promotool.t-mobile.com, and all someone had to do to exploit it was to attach customers' phone numbers to the end of the URL.
The subdomain apparently had a hidden API that would surface personal details, so customer service reps couls look up subscribers' details. Problem was, it wasn't protected by a password. Bad actors can then use those details to reset people's email and bank passwords, among other things, by convincing customer service reps that they're the owner of those accounts.
T-Mobile already pulled the API offline after security researcher Ryan Stevenson, who was awarded $1,000 from the company's bug bounty program, reported it to the carrier. A spokesperson told ZDNet that "The bug was patched as soon as possible and [they] have no evidence that any customer information was accessed." It's worth noting, however, that the carrier said the same thing last year, but a hacker came forward and told Motherboard that "a bunch of SIM swapping kids" had been using it for quite a while. Hopefully, nobody other than Stevenson caught wind of this particular bug and used it for nefarious purposes.
