T-Mobile Exposure of Customer PII

Until last week, an information disclosure vulnerability on the T-Mobile site allowed for exposure of customer PII.

The issue was discovered while monitoring requests on the mydigits.t-mobile.com website.

After logging in to mydigits.t-mobile.com, a GET request is made to the server-side API located on wsg.t-mobile.com. The parameters in this request are access_token and tmoid.

Querying this URL returns limited data about your T-Mobile account, including—first name, account permissions, email address, user ID, account status and the SIM card’s IMSI number.

Querying the URL with a tmoid that doesn’t belong to you throws a permission error. However, before a fix for this vulnerability was put in place, it was possible to replace tmoid with a different parameter, msisdn, and then supply with it a valid T-Mobile phone number, which would, without error, return limited data about the T-Mobile account associated with the phone number provided.

To ascertain the number of users that were affected by this issue, a total of eight phone numbers were queried (with prior written consent) through the API, and all of them returned details that were verified to be correct by the affected people.

T-Mobile fixed the issue within 24 hours of it being reported.

Since then, newer developments revealed that a number of blackhat hackers were actively exploiting the issue until it was fixed last week.

Interestingly, data that the hackers were able to retrieve contains much more information than was previously known possible. This data includes extremely sensitive details such as an encrypted version of the customer’s password, encrypted security answers, number of failed ZIP code based authentication attempts, and others.

Given this information, we have been able to conclude that another endpoint was likely affected by a similar lack of authorization checks, allowing for hackers to retrieve an extensive amount of data from T-Mobile accounts.

It is uncertain as of now whether the vulnerability present in the other endpoint has been patched.