A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.
In May 2018, ZDNet ran a story about the discovery of a glaring vulnerability in the Web site for wireless provider T-Mobile that let anyone look up customer home addresses and account PINs. The story noted that T-Mobile disabled the feature in early April after being alerted by a 22-year-old “security researcher” named Ryan Stevenson, and that the mobile giant had
This post first appeared on Krebs On Security. click here for original article.