Apple website security flaw exposed account PINs of T-Mobile customers


It looks like T-Mobile isn’t the only company to have a major security issue recently.

A security flaw with Apple’s online store exposed the account PINs of T-Mobile customers. That’s according to a report from BuzzFeed News, who says that a separate flaw with phone insurance company Asurion’s website exposed the passcodes of AT&T customers. The flaws were found by security researchers Phobia and Nicholas “Convict” Ceraolo and were patched by Apple and Asurion when the companies were notified of the vulnerabilities.

The flaw on Apple’s website was part of the iPhone section of Apple’s online store. When you begin an iPhone purchase and choose monthly installment payments through T-Mobile, the site goes to an authentication form where you enter your T-Mobile cellphone number and the account PIN or last four digits of your social security number. The page allowed infinite attempts in the PIN and SSN fields, which could let a malicious party brute force their way into an account. The issue only affected T-Mobile, as the pages for AT&T, Sprint, and Verizon have a limit that locks access to the form for 60 minutes after five to 10 incorrect entries.

Both T-Mobile and Apple declined to comment on this vulnerability. For more information on the security flaw and what may have caused it, you can go here.

This is the second major T-Mobile-related security flaw that we’ve heard of this week, coming one day after the news that T-Mo experienced a data breach that may have exposed the personal data of around 2 million customers. This latest flaw is a serious one that could result in someone making changes to your account and potentially gain access to some of your other online accounts. With news of this flaw coming out, it’s probably a good time to update your PIN, especially if you haven’t done so in a while.

Source: BuzzFeed News

Tags: , ,