Hackers could have hijacked and taken control of T-Mobile’s customer accounts thanks to a severe bug on the company’s website.

The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn’t been revealed until now. Within a day, T-Mobile classified it as “critical,” patched the bug, and gave the researcher a $5,000 reward. That’s good news, but it’s unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed.

This is the latest in a long string of security issues for the cellphone carrier. In October of last year, Motherboard reported of another flaw that let hackers access customers’ sensitive information such as email addresses, billing account numbers, and their IMSI, the phone’s standardized unique number that identifies subscribers. Before it got fixed, this earlier bug was being actively exploited to hijack customers’ phone numbers. Scammers have been targeting T-Mobile customers for months, hijacking their phone numbers and stealing money from their banking accounts linked to those numbers. These scams forced T-Mobile to send out a mass text message to all customers asking them to up the security on their accounts.

The newly disclosed bug allowed hackers to log into T-Mobile’s account website as any customer.

“It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down,” Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat.

Read More...