Andre Yoskowitz
14 Nov 2015 17:00
According to security researchers Eric Taylor and Blake Welsh, over 10 million MetroPCS subscribers were vulnerable to having their personal information stolen via a flaw in the site's payment page.
Anyone with some know-how and your phone number could have accessed your home address, MetroPCS plan and your phone's serial number.
The flaw brought back memories of 2010 when developer 'Weev' was able to harvest 114,000 iPad user email addresses from a vulnerability in AT&T's website.
Motherboard tested out the flaw before MetroPCS fixed the bug and well before they posted the report. Says the article: "When I tested the flaw, I asked a friend if I could use her as a guinea pig. All I needed to find out her data was use a Firefox plugin to send an HTTP request to MetroPCS' website using her phone number. Once I did that, I saw her full name, home address, the model and serial number of her phone, as well as how much she was paying a month for her subscription. My friend confirmed that the data was accurate."
Most scary was the fact that hackers could have potentially used the information to "clone" the victim's phones and intercept all messages.