Until this month, if you were one of the more than 10 million MetroPCS subscribers, anyone who knew your phone number could easily get all your personal information from the company’s website, including your home address, your type of plan, and even your phone’s model and serial number.
All that data was left exposed online by a security flaw in the MetroPCS payment page, potentially allowing cybercriminal to steal the identity of customers, hack into their email or bank accounts through social engineering, or, worse, stalk them in real life.
Security researchers Eric Taylor and Blake Welsh found the bug and shared their research with Motherboard last month. A spokesperson for T-Mobile, which owns MetroPCS, told Motherboard the the flaw was fixed, so the data is not exposed anymore. But until Motherboard notified the company, all you needed to know a MetroPCS’ subscribers personal information was a little knowledge of programming.
“Pretty bad fuckup on MetroPCS's side.”
“It’s a pretty nasty bug,” HD Moore, a well-known security researcher who works at Rapid7 and who reviewed Taylor’s research, told Motherboard. “It seems like a serious privacy exposure.”
In theory, a hacker didn’t even need to know somebody’s number. An attacker could have just run an automated script and harvested the personal data of many, if not all, MetroPCS customers. That would’ve been easy to do, according to Taylor, as well as several security experts consulted by Motherboard.
“Very easy,” Andrew Auernheimer, a hacker also known as Weev, told Motherboard. Auernheimer found a similar vulnerability on an AT&T’s website in 2010, allowing him to collect 114,000 email addresses of iPad users. “Pretty bad fuckup on MetroPCS's side.”
Taylor and Welsh, who both work at Cinder, found the bug in mid October. Motherboard independently verified the flaw and reached out to T-Mobile on October 22. We held the story until the bug was fixed to protect MetroPCS’ customers data.
When I tested the flaw, I asked a friend if I could use her as a guinea pig. All I needed to find out her data was use a Firefox plugin to send an HTTP request to MetroPCS’ website using her phone number. Once I did that, I saw her full name, home address, the model and serial number of her phone, as well as how much she was paying a month for her subscription. My friend confirmed that the data was accurate, and I tested this with the number of a Twitter follower who also agreed to be part of the experiment.
“I’m obviously not very happy that my home address can easily be found online thanks to MetroPCS’ incompetence,” my friend told me. “But I’m not freaking out.”
Taylor, who’s also known by his hacker moniker of Cosmo The God, told Motherboard that by using social engineering, a malicious hacker could have used this information to carry out other attacks “that would all end up in a terrible situation for the customer.”
For example, somebody could have called MetroPCS and get even more information about the subscriber pretending to be her while talking to customer service (it’s worth noting that MetroPCS is a prepaid service, so the company doesn’t collect Social Security numbers). Then, the attacker could have used that information to get into other accounts, such as her bank or email account. It’s very common for cybercriminals to leverage information from one account to break into other accounts (Just ask Mat Honan).
“I’m obviously not very happy that my home address can easily be found online.“
Steven Bellovin, a computer science professor at Columbia University, agreed that social engineering was a risk in this case. Another one, he said in an email, is “access to data from known subscribers”—stalking, basically.
“Think of a former romantic partner whose abuser knows to be a MetroPCS customer—this gives away the new address,” he told Motherboard.
According to Taylor, it might even be possible for hackers to “clone” the phone and essentially intercept all the customer’ calls and messages. But both Moore and Bellovin said that would not be possible.
Creating a script and obtaining all the information of every MetroPCS subscriber, on the other hand, was doable, at least in theory. (For legal reasons, neither Taylor and Welsh, nor I, tried to do that.)
The problem there was how to program the script. The easiest way would’ve been to just program it to run every possible combination of ten digits, but that would’ve been impractical given the high number of possible combinations.
It would have been better to program it to try with every valid number with a valid American area code. According to Bellovin’s calculations, that could’ve taken a bit over 2 days. Bellovin cautioned that his calculations were based on the key assumption that the MetroPCS website wouldn’t block an IP address sending it continuous requests, or without severely limiting the number of requests. Another way would be to figure out all MetroPCS’ numbers, but even though telephone carriers used to have a certain range of numbers assigned to them, that’s not so easy to figure out anymore because of customers’ ability to port numbers from one carrier to another.
A T-Mobile spokesperson told Motherboard the company appreciates “responsible disclosure from you and the researcher,” but declined to comment any further.
In the last few months, Taylor and Welsh have found a similar flaws in other websites. Earlier this year, the two revealed that hackers could impersonate customers of Verizon and Charter Communications taking advantage of flaws in the companies’ websites. The researchers also found a flaw in a customer feedback system called Aptean SupportSoft, that theoretically would have allowed hackers to steal passwords, and credit card information of customers of sites using the system, such as Comcast and Time Warner Cable.
There’s no evidence that anyone found the flaw on MetroPCS’ website and stole customers’ personal information. And now, thanks to Taylor and Welsh, nobody will be able to abuse the bug for such nefarious purposes.