Apple website security flaw exposed account PINs of T-Mobile customers


It looks like T-Mobile isn’t the only company to have a major security issue recently.

A security flaw with Apple’s online store exposed the account PINs of T-Mobile customers. That’s according to a report from BuzzFeed News, who says that a separate flaw with phone insurance company Asurion’s website exposed the passcodes of AT&T customers. The flaws were found by security researchers Phobia and Nicholas “Convict” Ceraolo and were patched by Apple and Asurion when the companies were notified of the vulnerabilities.

The flaw on Apple’s website was part of the iPhone section of Apple’s online store. When you begin an iPhone purchase and choose monthly installment payments through T-Mobile, the site goes to an authentication form where you enter your T-Mobile cellphone number and the account PIN or last four digits of your social security number. The page allowed infinite attempts in the PIN and SSN fields, which could let a malicious party brute force their way into an account. The issue only affected T-Mobile, as the pages for AT&T, Sprint, and Verizon have a limit that locks access to the form for 60 minutes after five to 10 incorrect entries.

Both T-Mobile and Apple declined to comment on this vulnerability. For more information on the security flaw and what may have caused it, you can go here.

This is the second major T-Mobile-related security flaw that we’ve heard of this week, coming one day after the news that T-Mo experienced a data breach that may have exposed the personal data of around 2 million customers. This latest flaw is a serious one that could result in someone making changes to your account and potentially gain access to some of your other online accounts. With news of this flaw coming out, it’s probably a good time to update your PIN, especially if you haven’t done so in a while.

Source: BuzzFeed News

Tags: , ,

  • Willie D

    Jesus Christ already T-Mobile, what kinda security team do you have there? I mean why are literally ALL the security breaches lately have to do with T-Mobile or a company T-Mobile affiliates with? Why does T-Mobile customers get more scam and spam calls than any other carrier? To be honest, I’m starting to think this is a partial inside job of someone selling access, passwords, numbers, and account info to scammers and hackers cause these problems are repetitive and too frequent for them to just be by chance.

    • Derrik Brozovich

      You realize any company is vulnerable right? Apples integration of tmobile login is the fault because normal tmobile login in only a few attempts before locked out entirely. So one of the most valuable and secure companies in the world left themselves and another company exposed because of their flaw.

    • Louise Lonsdale

      Who else vs other companies?

  • jralphroman

    I blame the Russians