Flaws in Apple & Asurion websites expose PINs of millions of iPhone users
Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.
The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.
Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts — unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.
The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.
The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.
The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.