This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
AT&T resolves issue that would allow account takeover through ZIP code and phone number
AT&T recently fixed a vulnerability that would have allowed anyone to take over someone’s account on ATT.com just by knowing their phone number and ZIP code.
Cybersecurity researcher Joseph Harris discovered the bug earlier this year, finding a way to exploit an account merging feature for malicious means. The issue allowed him to effectively merge his own account with anyone else’s, giving him the ability to update that account’s password and take control of it.
“This could have allowed an attacker to SIM swap a person, change any of their details, cancel their service and much more,” he said in an interview. “Obviously SIM swapping is a big deal these days, imagine how this would have played out in the wrong hands. ”
An AT&T spokesperson confirmed the problem in a statement to Recorded Future News. “The issue was fixed promptly through our established bug bounty program, and there is no evidence that it was exploited beyond the researcher,” the spokesperson said.