T-Mobile Exposes Accounts With “DIGITS” Sign Up Security Failure
Update – A T-Mobile Spokesperson has reached out with a statement, see the end of the article for details.
Today T-Mobile announced DIGITS, its long awaited service that would allow you to sync multiple phone numbers to a single device, or to sync multiple devices to a single phone number.
Many T-Mobile customers have been waiting for the company to announce this feature to combat its rival AT&T’s “NumberSync”. While we have yet to see how T-Mobile will handle encrypting and storing messages under its new service, we do know how T-Mobile is handling the security of the sign-up process for DIGITS – poorly. Mere hours after the announcement, T-Mobile is exposing potentially the private details of millions of its post-paid subscribers through a flaw in DIGITS’s online interface.
Currently, the DIGITS beta sign-up page allows you to sign up for one of two services: first, the ability to sync multiple numbers to a single device, or secondly the ability to sync a single device to multiple numbers. The flaw that we, and numerous users on social media, have discovered exists in the second service. Upon selecting the sign-up button and logging into your T-Mobile account, the system should display your active numbers and allow you to select which of your phone numbers to sync to your device. However, the numbers that the page returns may not belong to you – instead, these numbers appear to be phone numbers of other T-Mobile subscribers. Furthermore, if you click to view the details of any of these listed phone numbers you are able to view the Name and Email Address of a T-Mobile subscriber the system mistakenly thought was a part of your plan.
I verified this 7 times, with each time displaying a different T-Mobile account that did not belong to me. Unfortunately, I also verified that the account information is accurate for live, real accounts – the users I messaged were frightened to discover that I had acquired their numbers from a flaw in T-Mobile’s new system.
By the time I began writing this article, T-Mobile had already taken down the sign-up page in order to correct the issue. Whether or not the company will own up to this error is yet to be seen.
Update: 4:48PM CST
A T-Mobile spokesperson that reached out to us regarding this issue had this to say:
“For a brief period this morning we had an issue with our beta registration site and we quickly resolved the issue. We will follow up with any impacted customers directly.”
No further details regarding the cause or number of affected customers were mentioned.
With Privacy and Security being forefront in the news today, one would figure T-Mobile would have its cards straight for a launch such as this.