Hackers could have hijacked and taken control of T-Mobile’s customer accounts thanks to a severe bug on the company’s website.
The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn’t been revealed until now. Within a day, T-Mobile classified it as “critical,” patched the bug, and gave the researcher a $5,000 reward. That’s good news, but it’s unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed.
This is the latest in a long string of security issues for the cellphone carrier. In October of last year, Motherboard reported of another flaw that let hackers access customers’ sensitive information such as email addresses, billing account numbers, and their IMSI, the phone’s standardized unique number that identifies subscribers. Before it got fixed, this earlier bug was being actively exploited to hijack customers’ phone numbers. Scammers have been targeting T-Mobile customers for months, hijacking their phone numbers and stealing money from their banking accounts linked to those numbers. These scams forced T-Mobile to send out a mass text message to all customers asking them to up the security on their accounts.
Read more: The Motherboard Guide to Not Getting Hacked
The newly disclosed bug allowed hackers to log into T-Mobile’s account website as any customer.
“It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down,” Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat.
Shortly after we published this story, a T-Mobile spokesperson sent us a statement:
"This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," the emailed statement read. "We found no evidence of customer information being compromised."
Security researcher Kane Gamble found and reported the bug through HackerOne, a platform that helps connect bug finders and companies. Motherboard read the original bug report, which is not publicly available, by logging into Gamble’s account with his permission.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
In 2015, when he was only 15, Gamble gained notoriety for being one of the leaders of Crackas With Attitude, a hacking group that used social engineering techniques to break into the email accounts of former CIA director John Brennan, former director of national intelligence James Clapper, and others.
While he awaits sentencing for these crimes, Gamble has been searching for and reporting bugs to T-Mobile and others. In December, Gamble found that T-Mobile left logs of customer logins exposed on the internet, allowing anyone who knew where to look to steal their session cookies.
“Everyone that was logging in could’ve had their account hacked,” Gamble told me in an online chat, explaining that accessing the log three times gave him more than 800 customers’ logins. “You could monitor it for a very long time and honestly I don’t think they’d ever suspect it.”
Helme agreed that this bug would’ve given hackers the ability to do anything on those customers’ accounts—anything the customers themselves could. The researcher also said that T-Mobile should review its logs to see if any malicious hacker took advantage of this, and force potential victims to log out and change their passwords.
“Anything short of that left users at risk and they could still be at risk right now,” Helme said.
In its statement, T-Mobile said that "if there had been customer impact we would have immediately taken proper steps to follow up."
This story has been updated to include T-Mobile's comments.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.