A critical security bug in MetroPCS could allow anyone who knew your phone number access your personal details from the website including your home address, phone’s model and serial number .
It was revealed in a report by Motherboard that a pair of researchers discovered a bug that left the customer’s personal data exposed to cybercriminals.
With the personal details in hand, cybercriminals could easily move on to identity theft and accessing bank accounts.
Eric Taylor and Blake Welsh found the flaw on MetroPCS’s payment page in mid-October. Motherboard independently verified the flaw and reached out to T-Mobile, which owns MetroPCS, on October 22.
Well-known researchers have claimed it as a pretty nasty bug and a serious privacy exposure. MetroPCS was unaware of the problem before being contacted by Motherboard prior to their published report. A spokesperson for T-Mobile told Motherboard that the flaw was fixed and the data is not exposed anymore.
But the thing that raised eyebrows was that the hacker won’t even need someone’s phone number. An attacker could just run an automated script and obtain the personal data of many MetroPCS customers.