[BreachExchange] T-Mobile website bug let hackers steal data with a phone number

Wed Oct 11 09:34:35 EDT 2017

https://www.engadget.com/2017/10/11/t-mobile-website-flaw-social-engineering-hacks/

Up until last week, a T-Mobile
<https://www.engadget.com/2017/10/02/t-mobile-pulls-advertisement-claiming-fastest-network/>
website had a serious security hole that let hackers access user's email
addresses, accounts and a phone's IMSI network code, according to a report
from *Motherboard*
<https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number>.
Attackers only needed your phone number to obtain the information, which
could be used in social engineering attacks to commandeer your line, or
worse.

The security research who discovered the hole, Karan Saini from startup
Secure7, notes that anyone could have run a script to scrape the data of
all 76 million T-Mobile users and create a searchable database. "That would
effectively be classified as a very critical data breach, making every
T-mobile cell phone owner a victim," he told *Motherboard.*

T-Mobile said in a statement that "we were alerted to an issue that we
investigated and fully resolved in less than 24 hours. There is no
indication that it was shared more broadly." Saini notes that T-Mobile
offered him a $1,000 reward as part of its bug bounty program.

However, an anonymous hacker disputes T-Mobile's claim that the bug wasn't
shared broadly, telling *Motherboard* that "a bunch of SIM swapping kids
had [the hack] and used it for quite a while." They could have exploited
the data to "socially engineer," or basically con, T-Mobile technicians
into handing over replacement SIMs by pretending they're the owners of the
line. *Motherboard* also discovered a YouTube video
<https://www.youtube.com/watch?v=3_gd3a077RU> dated August 6th that
describes exactly how to execute the hack.

In fact, this is exactly what happened
<https://techcrunch.com/2017/08/23/i-was-hacked/> to *Techcrunch* writer
John Biggs on August 22nd. After impersonating him and obtaining a
replacement for his T-Mobile SIM, a hacker was able to quickly change his
Gmail, Facebook, and other passwords, even though they were protected by
two-factor SMS authentication.

It's impossible to say whether the security hole helped the hackers swindle
hapless T-Mobile tech support employees into sending them replacement SIMs,
but it certainly appears plausible. (Tech support folks are supposed to
require security question responses, invoices and other information, but
often hand over SIMs to smooth-talking hackers without it.) We've reached
out to T-Mobile and the FCC to find out if there was an uptick in such
attacks over the last few months.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171011/11e7ac19/attachment.html>