Security researchers have found a new security flaw in MetroPCS computer systems that had the potential to expose customer data.
Eric Taylor and Blake Welsh, the researchers who discovered the flaw, gave their information to Motherboard last month. Motherboard contacted MetroPCS with the bad news: If an attacker knew a phone number, they could get a hold of personal information, including a home address, type of plan, and a phone’s serial number and model. They could potentially use the information to hack in to the customer bank accounts.
The flaw was in the MetroPCS website payment page, and in theory an attacker actually would not even need to know a phone number. The could just run a simple automated script to pull out the personal data of possibly all 10 million Metro PCS customers.
“It’s a pretty nasty bug,” HD Moore, a well-known security researcher who works at Rapid7 told Motherboard. “It seems like a serious privacy exposure.”
This isn’t the first time Taylor and Welsh have found flaws like this in a website. Earlier this year, they discovered similar flaws in both Verizon, Aptean SupportSoft, and Charter Communications.
Lorenzo Franceschi-Bicchierai of Motherboard tested the flaw out, with a friend’s permission, and gained access to all the information that was suggested could be stolen. MetroPCS has fixed the flaw.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.