British teen who tried to hack CIA chief finds 'critical' T-Mobile flaw exposing customer accounts

A "critical" security flaw on T-Mobile's website that could have allowed hackers to hijack customers' accounts has been uncovered by a British teen who tried to hack the accounts of multiple senior US government officials. Security researcher Kane Gamble, 18, found and reported the bug via the mobile carrier's bug bounty programme through HackerOne on 19 December last year, Motherboard first reported.

The flaw, marked as "critical", could have potentially allowed hackers to log in and hijack the account of any customer via T-Mobile's website. However, T-Mobile said there is currently no evidence to suggest customer data was compromised by any malicious actors.

"This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," T-Mobile said in an emailed statement to Motherboard. "We found no evidence of customer information being compromised."

It is still unclear how long the vulnerability was live and if any threat actors exploited the bug before it was patched.

"Everyone that was logging in could've had their account hacked," Gamble said. "You could monitor it for a very long time and honestly I don't think they'd ever suspect it."

According to security researcher Scott Helme, who reviewed the teen's bug report, the vulnerability was akin to "logging into your account and then stepping away from the keyboard and letting the attacker sit down".

Gamble was awarded $5,000 (£3,569) for reporting the flaw.

In 2015 and 2016, Gamble attempted to hack the computers of several senior US government officials including then-CIA Director John Brennan and former FBI Deputy Director Mark Giuliano using social engineering techniques. Some of his other targets included Barack Obama's deputy national security adviser Avril Haines and former US secretary of homeland security Jeh Johnson among other officials. He was just 15 years old when he launched the attacks from his bedroom computer at the Coalville, Leicestershire home he shared with his mother.

In October 2017, he pleaded guilty to eight charges of "performing a function with intent to secure unauthorised access" and two of "unauthorised modification of computer material" at Leicester crown court.

Meanwhile, this isn't the first security flaw for T-Mobile.

In October last year, another vulnerability was uncovered on the company's website that potentially allowed any threat actor to access customers' sensitive information such as their IMSI, email addresses, billing account numbers and more using just their phone number. An anonymous black hat hacker told Motherboard at the time that the vulnerability had been exploited by hackers "for quite a while".

Earlier this month, a man slapped T-Mobile with a lawsuit alleging the company's lack of security allowed hackers to infiltrate his wireless account and steal thousands of dollars worth of Bitcoins from one of his cryptocurrency wallets.

IBTimes UK has reached out to T-Mobile for further comment.