LightBlog

mercredi 7 décembre 2016

T-Mobile Exposes Accounts With “DIGITS” Sign Up Security Failure

T

oday T-Mobile announced DIGITS, its long awaited service that would allow you to sync multiple phone numbers to a single device, and multiple devices to a single phone number.

Many have been waiting for T-Mobile to announce this feature to combat AT&T’s “NumberSync” system which allows similar control. While all of the details and security implications such as the encryption of messages and data being passed between devices and stored on servers need to be throughouly reviewed, one thing is certain… On the launch day, T-Mobile already violated the security and privacy of its millions of subscribers through a horrible flaw in its sign-up site.

The T-Mobile DIGITS beta sign up page allows you to sign up for one of two services, the ability to sync multiple numbers to a single device or sync a single device to multiple numbers. The one where we have confirmed the flaw personally, is the second one. Upon selecting the sign-up button and logging into your T-Mobile account, the system should display your active numbers and allow you to choose between them to enable syncing. However, a flaw in the site returns seemingly random numbers. But 10 random numbers alone aren’t much of a threat, right? Exactly, what happens after you choose the number and click continue ISOnce you click continue you are brought to a page that allows you to view the Name, Phone Number, and Email Address of the incorrect user and owner of the number displayed.

I verified this 7 times, each time displaying a different T-Mobile account.

digits4

As of this writing, T-Mobile has taken down this sign up page obviously to correct the issue, as to if they will own up to this error is yet to be seen.

With Privacy and Security being forefront in the news today, one would figure T-Mobile would have its cards straight for a launch such as this. We have yet to hear from T-Mobile concerning the issue and will update this article as more information is disclosed.

Maybe they will handle the actual service with a little bit more security than the sign-up page…



from xda-developers http://ift.tt/2h3TuGm
via IFTTT

Aucun commentaire:

Enregistrer un commentaire