Data on every MetroPCS customer was easily accessible

Nov 15, 2015 12:54 GMT  ·  By
MetroPCS website put in maintenance mode to fix dangerous security bug
2 photos
   MetroPCS website put in maintenance mode to fix dangerous security bug

MetroPCS, a T-Mobile subsidiary that provides pre-paid data services across the US, has just fixed a serious security hole that could have allowed attackers to steal personal details of any of their users.

Cinder app security researchers Eric Taylor and Blake Welsh came across the bug that affected MetroPCS's payment page. At the moment of writing this article, the page is in maintenance mode, as the company patches its software.

Personal user data leaked in cleartext

The researchers found out about the issue by sending an HTTP request to the MetroPCS servers querying for a phone number. Instead of a typical yes/no response, the website would return all the data it has on that phone number, all in cleartext.

The two verified their findings using a friend and a random Twitter user and contacted Vice about their research. With the help of Vice's reporters, the two were put in touch with T-Mobile's staff and provided all the details about their findings.

The data spewed in clear by the MetroPCS website included details like the phone number owner's real name, address, phone make & model, data plan, current payment status, and any other information collected by the service provider and stored in its database.

Users exposed to social engineering attacks

All this personal information, even if it did not contain financial information, would have allowed hackers to carry out social engineering attacks and gain access to other accounts the victim might be holding. Contacting a bank's call center and asking for account details by providing personal details spewed by the MetroPCS server is a possible scenario.

Additionally, since the attacker only needed to query the MetroPCS server via a simple HTTP request, hackers could have created automated scrips that could inspect random numbers and harvest data on all of MetroPCS' customers.

There is no indication that any data leaked via the MetroPCS bug has made its way to the Dark Web.

Before discovering the MetroPCs bug, Taylor and Welsh also revealed security flaws in the websites of Verizon, Charter Communications, and in the Aptean SupportSoft support system used by Time Warner Cable and Comcast.

Sample MetroPCS data output
Sample MetroPCS data output

Photo Gallery (2 Images)

MetroPCS website put in maintenance mode to fix dangerous security bug
Sample MetroPCS data output
Open gallery