Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.
The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.
Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts — unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.
The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.
The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.
The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.
18 Comments
This sounds like it is T-Mobile 's fault, and not Apple's.
... and is there any evidence it was exploited?
So what is the Apple vulnerability? Care to explain.
The original article is confusing. When they say “exposed 77 million PINs” it sounds like 77 million people (the entire T-Mobile subscriber base) had their PINs stolen.
In fact, if I read this correctly, the flaw could potentially allow someone to brute force a PIN on a given phone number. It doesn’t make any claims about this actually happening to anyone.
I’d be curious if there are numbers that show how many people had a PIN stolen. Surely they would know, as they’d get a request from a customer trying to regain access to their account or complaining about fraud. If an unusually higher than normal number of customers contacted them in a short period of time over similar account issues, then that would tip them off that there was some type of security breach. If the numbers haven’t changed then it’s likely this exploit wasn’t utilized.