Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Rate limit vulnerabilities left AT&T, T-Mobile customer PINs prone to brute-force attacks

Third-party vulnerabilities discovered in the websites for Apple's online store and phone insurance company Asurion reportedly endangered account PINs belonging to T-Mobile and AT&T customers, respectively.

Now patched, the flaws could have been exploited by attackers using a brute-force attack to guess users' PINs until they came upon the correct numeric combination, according to a report from BuzzFeed. If they were to have accessed these PINs, the actors could have then hijacked customers' phone numbers, along with any online accounts can be reset via SMS or SMS-based two-factor authentication.

Discovered by researchers Phobia and Nicholas “Convict” Ceraolo, both vulnerabilities involved a lack of rate limits on a web page requesting user information. Apple's online iPhone store reportedly exposed more than 77 million T-Mobile customer PINs or partial Social Security numbers during the process where customers select monthly iPhone payments via T-Mobile. The payment form allowed for unlimited attempts to enter either a PIN or partial SSN for authentication – an error Ceraolo said was likely attributable to an engineering mistake when T-Mobile's account validation API connected with Apple's website.

Similarly, Asurion had a claim-filing web page that attackers with knowledge of an AT&T customer's phone number could use to access a second form requesting the user's passcode. This form also allowed for unlimited tries. (Asurion reportedly has over 300 million customers, but it the article does not state how many are AT&T customers.)

BuzzFeed said Apple declined comment, other than to state the company was grateful to the researchers. Meanwhile, an Asurion spokesperson told the news outlet, “We are investigating the… concerns, but have immediately implemented measures to address these concerns to ensure customers' accounts are safe.”

Earlier this month, T-Mobile disclosed an unrelated data breach on Aug. 20, reportedly resulting in the potential exposure of roughly 2 million customers' personal information.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.