Teen Exposes T-Mobile Flaw Allowing Mass Hijacking of User Accounts

Users of popular cell phone carrier T-Mobile could have been in great trouble because a British hacker researcher Kane Gamble identified a security flaw on T-Mobile website that has been termed as ‘critical.’ The flaw already has been reported to the firm and patched by T-Mobile. The yet unrevealed flaw is believed to be so dangerous that it can let hackers hijack any customer account with ease by posing as a customer through T-Mobile website.

T-Mobile website exposed users to cyber attacks

According to the 18-year old Gamble, the bug was discovered under the T-Mobile’s bug bounty program via HackerOne and he was awarded $5,000 (£3,569) for that. The flaw was found on 19th December 2017. HackerOne is a platform that allows bug finders and tech firms to connect with each other.

T-Mobile maintains that there is no such evidence that suggests the data of its customers have been accessed by threat actors. In its official statement T-Mobile explained that the bug was fixed “within a matter of hours” therefore, it is not possible that hackers might have accessed customer information.

“If there had been customer impact we would have immediately taken proper steps to follow up,” T-Mobile told Motherboard.

Conversely, Gamble argues that the vulnerability was live for several hours and it is quite possible that hackers got a chance to exploit it before it was patched and any user who logged in to T-Mobile website during this time could have had his/her account hijacked.

“You could monitor it for a very long time and honestly I don’t think they’d ever suspect it,” said Gamble.

Gamble’s bug report was reviewed by another security researcher Scott Helme, who stated that the flaw was similar to logging in to your account and then leaving the keyboard free so that the attacker could exploit it.

Gamble – Crackas with Attitude – Hacking CIA Cheif

Gamble, at the age of 15 attempted to hack computers of various senior US government officials between 2015 and 2016 including those of the CIA-director at that time John Brennan, Obama’s senior advisor John Holdren, ex-Deputy Director at the FBI Mark Giuliano, My FiOS account of James Clapper, the Director of US’s National Intelligence and JABS (Joint Automated Booking System), a secret portal responsible for managing federal arrests records of law enforcement agencies.

The attacks were launched using social engineering techniques and the location was his home computer at the Coalville, Leicestershire. Later in October 2017, Gamble pleaded guilty at Leicester crown court to 8 charges of using a function with the intention of gaining unauthorized access and 2 counts of unauthorized alteration of computer material.

Gamble identified and reported the bug to T-Mobile while he was waiting for his sentence for these crimes; in December Gamble discovered that T-Mobile had left logins of customers exposed on the internet, which could have let anyone know where to steal session cookies from. When Gamble accessed the log thrice, he received over 800 customer login details.

“Everyone that was logging in could’ve had their account hacked. You could monitor it for a very long time and honestly, I don’t think they’d ever suspect it,” said Gamble.

Not for the first time

It is worth noting that this is not the first flaw that has been identified in T-Mobile but just one of the many security flaws that have been identified so far. Such as in October 2017, another flaw was identified in T-Mobile website that allowed hackers access sensitive information of the cell phone carrier’s customers including email IDs, IMSI, billing account numbers and the standardized unique number of the phone that verifies subscribers, etc. The flaw was actively exploited for hijacking customers’ phone numbers before it got fixed.

Via: Motherboard

Related Posts