Third-party vulnerabilities discovered in the websites for Apple’s online store and phone insurance company Asurion reportedly endangered account PINs belonging to T-Mobile and AT&T customers, respectively.
Now patched, the flaws could have been exploited by attackers using a brute-force attack to guess users’ PINs until they came upon the correct numeric combination, according to a report from BuzzFeed. If they were to have accessed these PINs, the actors could have then hijacked customers’ phone numbers, along with any online accounts can be reset via SMS or SMS-based two-factor authentication.
Discovered by researchers Phobia and Nicholas “Convict” Ceraolo, both vulnerabilities involved a lack of rate limits on a web page requesting user information. Apple’s online iPhone store reportedly exposed more than 77 million T-Mobile customer PINs or partial Social Security numbers during the process where customers select monthly iPhone payments via T-Mobile. The payment form allowed for unlimited attempts to enter either a PIN or partial SSN for authentication – an error Ceraolo said was likely attributable to an engineering mistake when T-Mobile’s account validation API connected with Apple’s website.
Similarly, Asurion had a claim-filing web page that attackers with knowledge of an AT&T customer’s phone number could use to access a second form requesting the user’s passcode. This form also allowed for unlimited tries. (Asurion reportedly has over 300 million customers, but it the article does not state how many are AT&T customers.)
BuzzFeed said Apple declined comment, other than to state the company was grateful to the researchers. Meanwhile, an Asurion spokesperson told the news outlet, “We are investigating the… concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”
Earlier this month, T-Mobile disclosed an unrelated data breach on Aug. 20, reportedly resulting in the potential exposure of roughly 2 million customers’ personal information.