A bug found on T-Mobile’s website allowed anyone with a customer’s phone number to access their name, address, billing account number, security PIN, and even tax identification numbers in some cases, our sister site ZDNet exclusively reported Thursday.
The flaw, which has since been patched, was found in a T-Mobile subdomain that employees use as a customer care portal to access internal tools. However, anyone could search for the subdomain—promotool.t-mobile.com—and a hidden API would display customer data if that person’s cell phone number was added to the end of the web address, ZDNet reported.
Though intended for employee use, the…
