MetroPCS patches hole that opened 10 million user creds to plunder

Scripts could have caused mayhem.

T-Mobile has crushed a bug in subsidiary MetroPCS that could have allowed attackers to steal details on any of its 10 million customers, according to reports.

Cinder researchers Eric Taylor and Blake Welsh say the vulnerabilities were simple to exploit up until a patch was dropped.

Motherboard exploited the vulnerabilities using a Firefox plugin that sent a HTML request with the target's phone number.

That spat out full names, home addresses, phone model and serial numbers, and billing details of those who agreed to be tested as part of the research.

A script could have been easily written to harvest the MetroPCS database, the pair say.

Neither the researchers nor Motherboard described the vulnerability in detail, but such vulnerabilities are unfortunately common across large and prominent organisations.

It was compared to the 2010 vulnerability in Apple discovered by Goatse Security which exposed thousands of Apple iPad users. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019