Eric Taylor and Blake Welsh, security researchers from Cinde, have shared via Motherboard about a bug presented in MetroPCS, a prepaid wireless service that provides nationwide talk, text, and data depending on the plan services using T-Mobile US’ GSM, HSPA, HSPA+ and 4G LTE networks, website that could have allowed hackers to get information of more than its 10 million subscribers.
As per many news reports and security experts, with a little programming knowledge, the hackers could have just run an automated script and harvested the personal data of many, if not all, MetroPCS customers. And for this, they would not even need someone’s phone number.
The hackers could get a person’s home address, phone serial number and more.
However, the flaw has been fixed.
A spokesperson for T-Mobile, which owns MetroPCS, told Motherboard the flaw had been fixed, so the data was not exposed anymore.
The researchers found the bug in mid October and once the Motherboard verified the flaw, it notified T-Mobile on October 22.
“We held the story until the bug was fixed to protect MetroPCS’ customers’ data,” the Motherboard wrote in a blog post.
“I needed to find out her data was use a Firefox plugin to send an HTTP request to MetroPCS’ website using her phone number. Once I did that, I saw her full name, home address, the model and serial number of her phone, as well as how much she was paying a month for her subscription. My friend confirmed that the data was accurate, and I tested this with the number of a Twitter follower who also agreed to be part of the experiment,” the blog post added.
Taylor told Motherboard that by using social engineering, a malicious hacker could have used this information to carry out other attacks “that would all end up in a terrible situation for the customer.”
Till now, there is no evidence that anyone found the flaw on MetroPCS’ website and stole customers’ personal information. And now, nobody will be able to abuse the bug for such nefarious purposes.