[BreachExchange] T-Mobile’s Digits sign-up page temporarily pulled after some subscriber info was exposed

Mon Dec 12 18:41:18 EST 2016

http://bgr.com/2016/12/07/t-mobile-digits-security-fail-expose-private-data/

On Wednesday afternoon, T-Mobile unveiled a new program called Digits,
which will allow T-Mobile subscribers to use a single mobile phone number
across multiple devices and use multiple phone numbers on a single device.
Unfortunately, the launch of the exciting new Digits beta was quickly
overshadowed by a major error on T-Mobile’s website that was sharing
private account information with anyone who visited the sign-up page for
the beta program.

According to multiple Twitter users, the form on T-Mobile’s website for the
Digits beta would occasionally show the name and phone number of another
active T-Mobile subscriber. When signing up to sync a single device to
multiple numbers, the site offered a series of seemingly random numbers to
choose from. But after moving on to review the information, the customers
who were attempting to sign up for Digits would sometimes see the name,
email address and phone number of another T-Mobile subscriber in the
registration details.

Here are just a few of the people who noticed on Twitter:

@JohnLegere You might not want to celebrate too quickly I go to sign up I
see other peoples information I can refresh and get a new person.

— tsaunders (@tsaunders) December 7, 2016

@johnlegere @TMobile yo there’s a collosal security vulnerability on the
sign-up page, exposing sensitive customer data. Shut it down!

— chris (@onexisting) December 7, 2016

@JohnLegere error alert. When you click on beta for 1 number multiple lines
takes you to someone else's account.

— Henry Hamilton (@hami1018a) December 7, 2016

lol what a security disaster @TMobileHelp https://t.co/T8vom2kJX7 every
time i refresh sign-up page I get sensitive customer info

— chris (@onexisting) December 7, 2016

@TMobileHelp @TMobile @JohnLegere just a heads up, the DIGITS signup form
is sometimes showing phone # and email for someone else's account

— Bill Rastello (@bipp5) December 7, 2016

T-Mobile has yet to formally address the mishap, but the sign-up form has
since been removed from the company’s website. As the time of writing, I am
only able to ask T-Mobile to notify me when I can apply to become a beta
participant.

As massive of an issue as security is in 2016, this is definitely a bad way
to kick off a program that otherwise looks like a great addition to the
Un-carrier’s arsenal. At least T-Mobile was relatively quick on the trigger
when it came to taking the form down before it became a widespread (and
widely reported) issue.

UPDATE: We’ve received an official response from T-Mobile regarding the
error:

“For a brief period this morning we had an issue with our beta registration
site and we quickly resolved the issue. We will follow up with any impacted
customers directly.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161212/ea7f4faf/attachment.html>