Complete Story
 

05/25/2023

AT&T resolves issue that would allow account takeover through ZIP code and phone number

The Record

AT&T recently fixed a vulnerability that would have allowed anyone to take over someone’s account on ATT.com just by knowing their phone number and ZIP code.

Cybersecurity researcher Joseph Harris discovered the bug earlier this year, finding a way to exploit an account merging feature for malicious means. The issue allowed him to effectively merge his own account with anyone else’s, giving him the ability to update that account’s password and take control of it.

“This could have allowed an attacker to SIM swap a person, change any of their details, cancel their service and much more,” he said in an interview. “Obviously SIM swapping is a big deal these days, imagine how this would have played out in the wrong hands. ”

An AT&T spokesperson confirmed the problem in a statement to Recorded Future News. “The issue was fixed promptly through our established bug bounty program, and there is no evidence that it was exploited beyond the researcher,” the spokesperson said.

Read more...

Printer-Friendly Version