A bug found on T-Mobile’s website allowed anyone with a customer’s phone number to access their name, address, billing account number, security PIN, and even tax identification numbers in some cases, ZDNet exclusively reported Thursday.
The flaw, which has since been patched, was found in a T-Mobile subdomain that employees use as a customer care portal to access internal tools. However, anyone could search for the subdomain — promotool.t-mobile.com — and a hidden API would display customer data if that person’s cell phone number was added to the end of the web address, ZDNet reported.
Though intended for employee use, the subdomain was not protected by a password, allowing anyone to access this information and, by extension, customer accounts and data.
The issue highlights the importance of securing internal tools at any business. For one, the subdomain should not have been on a public IP address, but behind a firewall for more protection. There also should have been some form of authentication required to access the portal and information.
Read more at TechRepublic