AT&T.com Is Vulnerable, User Information Can Be Revealed
A serious security vulnerability has been found on AT&T.com -a leader in telecommunication services, including cell phones, wireless, U-verse, digital TV, high speed internet, DSL, home phone & so on. That vulnerability is allowing anyone to look up the phone numbers of AT&T subscribers, provided they have the subscriber’s email address. The issue involves a form on AT&T’s site where a subscriber can input their email address in order to recover their forgotten AT&T User ID. Except instead of simply emailing the User ID to the email address provided, the following page reveals the wireless phone number associated with that account. A security consulting company named Errata Security reported about this vulnerability. Later the vulnerability has been patched. The problem was first unveiled late Friday night in a posting on Reddit. According to the comments there, some Reddit users have already created working scripts that return a list emails followed by the associated wireless phone number. But the vulnerability seems to be hit or miss, in terms of whether or not it reveals the complete number or any number at all. It doesn’t appear to work for Business Accounts, one commenter noted, but in another case, it worked for someone who wasn’t even an AT&T subscriber anymore.
To see if the hack works for you, visit https://www.att.com/olam/enterEmailForgotId.myworld, enter in an email address, click next, and see if a phone number is returned.
For what it’s worth, it didn’t work for me (an AT&T subscriber), but that may be because it doesn’t seem to work for those who have already established AT&T User ID’s, as I have. At the very least, that should protect some of the potentially affected AT&T subscriber base from having their personal information revealed.
According to AT&T spokesperson:- “We are dedicated to protecting our customer’s personal information. While the function was intended to help improve customer experience, we have removed it from our site to prevent misuse.”
-Source (Tech Crunch & Errata Security)