Two separate security vulnerabilities exposed the personal identification numbers for millions of T-Mobile and AT&T accounts, according to a new report.
The security flaws were discovered in Apple’s online store, as well as the website for phone insurance firm Asurion. The vulnerabilities allowed hackers to gain the PINs, passcodes and partial social security numbers for millions of mobile accounts.
Account PINs are common security features that are meant to protect mobile subscribers from hacks.
Security researchers Phobia and Nicholas “Convict” Ceraolo ran across the exposed PINs and shared their findings with BuzzFeed News. Both Apple and Asurion patched the vulnerabilities after the publication revealed the researchers’ findings.
T-Mobile/Apple Online Store Hack
Reportedly, the Apple vulnerability that was exploited was present in an account validation page that asked for a T-Mobile subscriber’s cell number, as well as their PIN or Social Security number.
Due to a bug, the webpage allowed hackers to try an infinite number of PIN attempts (a method known as “brute-forcing”). Because a PIN is typically a four-digit number, it’s easily discoverable in a relatively short amount of time. The vulnerability allowed attackers to uncover PINs for over 72 million T-Mobile subscribers.
On the other hand, similar Apple validation pages for the other three major telecom firms were protected by rate limiters. When BuzzFeed News reported the story, Apple patched the T-Mobile page with a similar rate limiter.
Ceraolo added that it was likely an engineering mistake that occurred during the linking of T-Mobile’s API to Apple’s online store website.
The AT&T-affecting Asurion hack was a separate incident discovered by the same security researchers.
According to their findings, the issue was also tied to the lack of a rate limiter on an insurance claim filing page. Because of that flaw, hackers were able to brute-force the system and come away with a user’s PIN — though only if they had an AT&T subscriber’s phone number.
Reportedly, it only affected AT&T users who were also customers of Asurion phone insurance. Neither company has disclosed how many users were impacted, however.
Like with the Apple attack, the insurance claim form for other carriers was properly protected by a rate limiter. Again, after BuzzFeed News revealed the leaked information, Asurion patched the relevant web page.