Bugs happen to everyone, but the company failed to monitor for simple signs of abuse.
Image: Shutterstock. Composite: Jason Koebler.
Last week, T-Mobile fixed a bug on one of its portals that allowed hackers armed with just your phone number to access a trove of your personal data, including your T-Mobile billing account, your email address, and your phone's standardized unique subscriber number—or IMSI.
The company patched the bug less than 24 hours after Motherboard alerted it on behalf of a security researcher who had found the bug. This was an extremely quick, prompt, and laudable response. But as it turned out, the researcher who reported the bug to T-Mobile wasn't the only one who had found it, and it appears that malicious hackers have been abusing the bug for nefarious purposes for at least a few weeks.
The bug was found within the API for T-Mobile's site wsg.t-mobile.com. All a hacker needed to do to take advantage of it was to query the API for a phone number, and the API would spit out that person's data.
Information security experts say that T-Mobile should have caught this bug long ago, and it would have been simple to determine if anyone was exploiting it.
"They were obviously asleep at the wheel"
"The idea that the same [authentication] token would request so many phone numbers should make it relatively easy to detect. There are lots of things that should have been red flags for those monitoring the servers," Jake Williams, a former NSA hacker who's now the Principal Consultant at Rendition InfoSec, told Motherboard. "They were obviously asleep at the wheel with monitoring."
These kind of bugs aren't that rare, which makes them less excusable today given that other major telecom companies have had them exploited in high-profile cases. In 2010, the infamous hacker Andrew Auernheimer, also known as Weev, took advantage of a similar vulnerability to query an AT&T webserver and collect the data of more than 100,000 iPad owners.
Read more: The Motherboard Guide to Not Getting Hacked
T-Mobile has "no excuse," Williams added, referring to that incident as a cautionary tale. "It's astonishing they weren't looking for this type of activity."
This T-Mobile bug was so well-known, apparently, that several blackhat hackers were exploiting it in the wild. It was so well-known that someone even made a YouTube tutorial to explain how to take advantage of it that was uploaded in early August.
"Nobody I know is scouring YouTube for bug reports. So I'll give them a small pass on that," Williams said. "But when stuff becomes so well known there's a tutorial video, it's bad and being talked about in a lot of forums. I would think that any good cyber threat intelligence program would have gotten wind of this."
A hacker that goes by the name MLT, who was part of a team of hackers who hacked T-Mobile in 2012, explained to Motherboard that the bug has been used by cybercriminals trying to hijack desirable social media accounts, such as those with unique words or a short character count by social engineering T-Mobile's support team using account data obtained using the bug.
"T-Mobile has always had terrible security practises to be honest," MLT said.
The criminals would use the bug to dig data on a target, then use that data to impersonate the target in a call to T-Mobile's support team, convincing them to issue the hackers a new SIM card. This would allow them to take over the victim's social media accounts, and perhaps even email account if the victim used a phone number for recovery.
Another blackhat hacker, who asked to remain anonymous, said that "a bunch of sim swapping skids had the [vulnerability] and used it for quite a while," using the often derogatory appellative of "skids" or "script kiddie" to mean low-level hackers.
When asked whether they're investigating if someone has been exploiting this bug before it got fixed, T-Mobile simply sent us a statement.
"We resolved the vulnerability that was reported to us by the researcher in less than 24 hours and we have confirmed that we have shut down all known ways to exploit it," the statement, sent via email, read. "As of this time we've found no evidence of customer accounts affected as a result of this vulnerability."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.