Techie claims Trump Mobile website was leaking thousands of people's data

Techie claims Trump Mobile website was leaking thousands of people's data

Briefly

"“It wasn't SQL. That wouldn't be as bad,” he told The Register. “It was a really simple HTTP request. POST, and then just asking for the info I wanted, basically.”"

"More than 27,000 people who ordered from Trump Mobile, the President's all-American smartphone and cell service brand, had their data flimsily secured online, Louis claimed. Louis, a long-serving IT professional who refuses to be called a security researcher, said the types of data he was able to gather included: first and last names, primary addresses, secondary addresses, email addresses, phone numbers, customer/account numbers, “enrollment ID” (pre-order number), and whether the order was placed by phone or online."

"“I discovered it first by looking into the site to see if I could find how many orders there actually were, and noticing some API endpoints,” he added. “I tried a couple of basic commands, and then it started showing whatever data I wanted. It was as easy as going to the website and writing a very simple HTTP POST request into the console.”"

"The website flaw only allowed him to return ten customer records at a time, he said, but these records all contained a customer number, which Louis used to loop through them all. In the space of an hour, the method allowed him to access the records of around 5,000 Trump Mobile customers, he claimed."