Security researchers have found a security flaw in the MetroPCS' computer system that may have exposed the retailer's customer data.
Motherboard was the first to report the security coding flaw to MetroPCS, pointing out that anyone who knows a customer's phone number could have access to personal information such as address, type of plan and also the serial number of the customer's mobile phone.
The security flaw was detected on the company website's payment page, which potentially exposed customer data to hackers. The data could be used by cybercriminals to steal customer identity, hack into their bank or email accounts or even worse – stalk customers in real life.
Motherboard reports that security researchers Blake Welsh and Eric Taylor discovered the bug and they shared the ones who shared the findings.
"It's a pretty nasty bug," says HD Moore, who is a network security expert and chief research officer of the security firm Rapid7. "It seems like a serious privacy exposure."
Lorenzo Franceschi-Bicchierai of Motherboard also conducted a test to see how easy it is to obtain customer data from MetroPCS' website. Lorenzo asked permission from a friend, who is a customer of MetroPCS, to see if her data could be accessed easily.
Lorenzo used a Firefox plugin for sending an HTTP request to the MetroPCS' website using the friend's phone number. When this request was made then Lorenzo was able to see the customer's full name, model number and serial number of the handset used, home address as well as the amount of subscription paid by the customer.
Lorenzo checked the data with the customer and she confirmed it was all correct. If these data was exposed to hackers then customers can face dire consequences.
"I'm obviously not very happy that my home address can easily be found online thanks to MetroPCS' incompetence," says Lorenzo's friend and a MetroPCS customer. "But I'm not freaking out."
Taylor says that it may also be possible for hackers to clone a customer's phone and also then intercept messages and calls. However, Moore says the interception is impossible.
A spokesperson for T-Mobile, which owns MetroPCS, confirmed that the coding flaw has been fixed and customer data are no longer exposed. However, before the fix, any person with little knowledge of computer programming would have been able to access crucial customer data from the MetroPCS' website.
Photo: Mike Mozart | Flickr