Flaws in Apple & Asurion websites expose PINs of millions of iPhone users

Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.

The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.

Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts — unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.

The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.

The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.

The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.

18 Comments

nunzy 662 comments · 6 Years

About 6 years ago

This sounds like it is T-Mobile 's fault, and not Apple's.

MplsP 4022 comments · 8 Years

... and is there any evidence it was exploited?

adamc 583 comments · 16 Years

So what is the Apple vulnerability? Care to explain.

Rayz2016 6957 comments · 8 Years

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number. Three attempts should lock you out of the form.

ericthehalfbee 4489 comments · 13 Years

The original article is confusing. When they say “exposed 77 million PINs” it sounds like 77 million people (the entire T-Mobile subscriber base) had their PINs stolen.

In fact, if I read this correctly, the flaw could potentially allow someone to brute force a PIN on a given phone number. It doesn’t make any claims about this actually happening to anyone.

I’d be curious if there are numbers that show how many people had a PIN stolen. Surely they would know, as they’d get a request from a customer trying to regain access to their account or complaining about fraud. If an unusually higher than normal number of customers contacted them in a short period of time over similar account issues, then that would tip them off that there was some type of security breach. If the numbers haven’t changed then it’s likely this exploit wasn’t utilized.