A security researcher last month discovered a flaw in T-Mobile’s website that could allow access to customer account information with only a cell phone number.
The carrier was alerted to the problem — first reported by ZDNet — in April when researcher Ryan Stevenson uncovered it. Stevenson reportedly received $1,000 as part of the company’s “bug bounty” program, and the carrier said the problem has been fixed.
“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure,” the carrier said in a statement.
The problem, according to ZDNet, occurred in a little-known subdomain of T-Mobile’s website. The site allowed T-Mobile staff to look up customer information simply by adding their phone number to the web address, but it was not protected by passwords and could have been used by anyone.
The details turned up by those searches, meanwhile, could have been used to hijack T-Mobile accounts or allow hackers to access customer’s names, addresses and billing or other financial information.
ZDNet also noted the flaw mirrored a similar problem with a different T-Mobile website subdomain last year.
The company said there is no evidence any customer information was improperly accessed.