A security researcher discovered a flaw in a T-Mobile website that let hackers log in as any customer.
Users of popular cell phone carrier T-Mobile could have been in great trouble because a British hacker researcher Kane Gamble identified a security flaw on a website that has been termed as ‘critical.’ The flaw already has been reported to the firm and patched by T-Mobile. The yet unrevealed flaw is believed to be so dangerous that it can let hackers hijack any customer account with ease by posing as a customer through a website.
T-Mobile Website Exposed Users To Cyber Attacks
According to the 18-year old Gamble, the bug was discovered under the T-Mobile’s bug bounty program via HackerOne and he was awarded $5,000 (£3,569). The flaw was found on 19th December 2017. HackerOne is a platform that allows bug finders and tech firms to connect with each other.
T-Mobile maintains that there is no such evidence that suggests the data of its customers have been accessed by threat actors. In its official statement T-Mobile explained that the bug was fixed “within a matter of hours” therefore, it is not possible that hackers might have accessed customer information.
“If there had been customer impact we would have immediately taken proper steps to follow up,” T-Mobile told Motherboard.
Conversely, Gamble argues that the vulnerability was live for several hours and it is quite possible that hackers got a chance to exploit it before it was patched and any user who logged in to T-Mobile website during this time could have had his/her account hijacked.
“You could monitor it for a very long time and honestly I don’t think they’d ever suspect it,” said Gamble.
Gamble’s bug report was reviewed by another security researcher Scott Helme, who stated that the flaw was similar to logging in to your account and then leaving the keyboard free so that the attacker could exploit it.
“Everyone that was logging in could’ve had their account hacked,” Gamble told in an online chat, explaining that accessing the log three times gave him more than 800 customers’ logins. “You could monitor it for a very long time and honestly I don’t think they’d ever suspect it.”
In its statement, T-Mobile said that “if there had been customer impact we would have immediately taken proper steps to follow up.”