T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com) 62
Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.
Yay! (Score:2)
Hacker? (Score:4, Insightful)
If all it takes is to type a phone number in the URL then it's not hacking.
"Unlocked doors allow thieves to open them" sounds as stupid. If they're unlocked, anyone can open them, not just thieves.
Re:Hacker? (Score:4, Informative)
The US government considers it so, and prosecutes for it.
"A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website was sentenced on Monday to 41 months in prison followed by three years of supervised release."
https://www.wired.com/2013/03/... [wired.com]
Re: (Score:1)
Not even close. This is more like someone driving to T-Mobile headquarters, walking around the lobby, noticing a door propped open that had a box in it that says, "sensitive user information," and you saying, "don't mind if I do."
But let's go with your example, Let's say the homeowner left sensitive information lying around and you started taking pictures of it with your phone. I don't know what the law states in that situation but I would find it hard to believe you were just taking pictures of the count
Re:Hacker? (Score:4, Insightful)
Here's the problem with criminalizing accessing publicly accessible data... you put the burden on the *user* of determining what freely available data they "ought" to have access to.
That's backwards. The custodians of the data have a duty to make it available appropriately... it's not the job of the public to guess at whether public data should be public.
Re: (Score:2)
Re: (Score:1)
That's because the U.S.A. government is run by a bunch of technology-ignorant fools.
Re: (Score:2)
Sometimes it's obvious you shouldn't be doing that, and sometimes it's not.
People get in trouble for both scenarios.
e.g. URL munging the application website at Harvard to see application status results in offers being retracted
https://arstechnica.com/uncate... [arstechnica.com]
Re: (Score:1)
Try using that excuse when going in a stranger's house
That's cool (Score:2)
Re: (Score:1)
Re: (Score:2)
I pretty much trust that it isn't. Privacy is largely overrated, and any number attached to your name can eventually be found.
Re: (Score:1)
Re: (Score:2)
I'm thinking they looked back in access logs and didn't see any sequential or high rate queries. While that's not even remotely 100% it is a decent indicator of not having been majorly exploited.
Re: (Score:1)
Re: (Score:2)
I've had a fair amount of experience etc. with this. Like I said, not 100% and as to being sly there are two MOs:
1) like you said, sly, spread out, not searching blocks of numbers
2) crash and grab, dump as much as fast as possible before getting caught.
If they recognised the value and wanted to get at the data as long as possible, then yes #1 is how they'd go, and reviewing the logs wouldn't be all that reliable.
It wasn't a bug (Score:1)
Equifax can learn a thing or two.. (Score:1)
Seems like Equifax can learn a thing or two from T-Mobile.. they're much better at fixing bugs/security holes
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: X-Nokia-MSISDN (Score:1)
Re: X-Nokia-MSISDN (Score:1)
Re: T-Mobile is Magenta. I like Pink. (Score:1)
You think thatâ(TM)s bad? (Score:1)
My phone company back in the 1980s would accidentally mail me a thick book with everyoneâ(TM)s phone number and physical address. I really could have done some crazy stuff with it, but the most I did with it was to call my classmateâ(TM)s house..
Re: (Score:1)
Re: (Score:1)
Re: You think thatâ(TM)s bad? (Score:1)
1-805-637-7243 Directly to Voice Mail (Score:2)
"call 1-805-637-7243, otherwise known as the "Voice Mail Back Door number." When you hear the prompt, i.e. "Welcome to the T-Mobile
messaging center. Please enter the 10-digit number of the person you
are trying to reach," enter the number. You will then be connected
directly with that person's voicemail. Press "1" to leave a message,
leave your message and hang up." http://answers.google.com/answ... [google.com]
Maybe if there is one of these (Score:2)
Every day like their has been for a few days now... IT will finally be forced to turn into a profession.
Maybe we alll.... (Score:2)