AT&T resolves issue that would allow account takeover through ZIP code and phone number

AT&T recently fixed a vulnerability that would have allowed anyone to take over someone’s account on ATT.com just by knowing their phone number and ZIP code.

Cybersecurity researcher Joseph Harris discovered the bug earlier this year, finding a way to exploit an account merging feature for malicious means. The issue allowed him to effectively merge his own account with anyone else’s, giving him the ability to update that account’s password and take control of it.

“This could have allowed an attacker to SIM swap a person, change any of their details, cancel their service and much more,” he said in an interview. “Obviously SIM swapping is a big deal these days, imagine how this would have played out in the wrong hands. ”

An AT&T spokesperson confirmed the problem in a statement to Recorded Future News. “The issue was fixed promptly through our established bug bounty program, and there is no evidence that it was exploited beyond the researcher,” the spokesperson said.

How it works

AT&T has a subscriber base of approximately 81.5 million postpaid and 19 million prepaid customers.

Harris, who goes by the online moniker “Doc,” said the vulnerability was fairly simple to exploit. After creating a free ATT.com profile, a hacker could go to the “combine accounts” tab and select “already registered accounts.”

After entering the victim’s phone number and ZIP code, the victim’s masked user ID would appear and they would be prompted for their password.

From there, Harris explained that hackers would be able to intercept the request of the password being entered and use the backend of the website to forward the password request to accounts the hacker controls.

Harris used his own accounts to test the attack method and it worked. He posted a video on YouTube of the issue depicting the process.

Although Harris’ reported vulnerability was eventually fixed, he wasn’t completely satisfied — he felt his bug bounty payment of $750 was low considering the severity of the issue, ease of exploitation and the fact that AT&T is one of the world’s largest telecommunications companies.

He noted that a similar bug he found affecting Vodafone netted him nearly $5,000 and that company “didn’t even have a public bounty program."

AT&T did not respond to requests for comment about the bounty payment, but several cybersecurity experts backed Harris’ assessment that the issue was worth more than he was paid.

Contrast Security CISO David Lindner said the vulnerability was “really bad” and “could have led to complete account compromise for many ATT accounts, and then from there, who knows what could have happened such as changing SIMs, removing accounts, adding phones to other’s payment profiles, etc.”

KnowBe4’s Roger Grimes agreed that “this is a pretty big flaw,”

“The resulting action … the merged accounts … is even a bit strange, in how easy it is to do,” he said. “It makes me think there are multiple, either related or unrelated additional flaws, that are activated in this particular account attack scenario.”

Grimes noted that similar issues continue to happen repeatedly to major telecoms like AT&T, T-Mobile and Verizon as well. Just three weeks ago, TechCrunch reported that hackers exploited an AT&T vulnerability to steal cryptocurrency.

Harris cited the repeated announcements from all three major U.S. telecoms about data breaches over the last five years as evidence that SIM swapping still runs rampant.

He noted that if any cybercriminal or more sophisticated group got a hold of the issue, “mass chaos would have erupted.”

“We are talking about a way to get into anyone's AT&T account, just by knowing their phone number and ZIP code. The merge feature has been around for awhile. Who's to say it hadn't been exploited and even if it wasn't, don't you think the public should be aware that they left the door wide open for over a year?” he said.

The Federal Communications Commission (FCC) confirmed in January that there have been multiple breaches affecting the country’s largest telecommunications companies: Verizon, T-Mobile and AT&T.

They are now mulling changes to the breach notification rules for telecommunications companies due to the increased amount of data the companies hold.

Harris said his hope is that mobile carriers will eventually take issues like the one he discovered more seriously.

“Pretty much everyone uses a cellphone. It's an important part of our daily life,” he said.