"AT&T Resolves Issue That Would Allow Account Takeover Through ZIP Code and Phone Number"
AT&T recently patched a vulnerability that would have allowed anyone to hijack someone's account on the telecommunications company's official website by using the account holder's phone number and ZIP code. Joseph Harris, a cybersecurity researcher, uncovered the flaw earlier this year, discovering a way to exploit an account merging feature for malicious purposes. The vulnerability enabled him to effectively merge his account with that of anyone else, granting him the ability to change the password and assume control of that account. There is no evidence that the vulnerability was exploited beyond the researcher, according to an AT&T spokesperson who verified the issue and stated that it was promptly resolved through the company's bug bounty program. AT&T has approximately 81.5 million postpaid customers and 19 million prepaid customers. According to Harris, the vulnerability was relatively easy to exploit. After creating a free profile on the company's website, an attacker could navigate to the "combine accounts" tab and select "already registered accounts." After inputting the victim's phone number and ZIP code, the masked user ID and password prompt would appear. Harris explained that hackers could intercept the request of the password being entered and use the website's backend to forward the password request to accounts the hacker controls. Harris successfully tested the attack technique using his own accounts. This article continues to discuss the issue that would have enabled AT&T website account takeover.