Flaws in Apple & Asurion websites expose PINs of millions of iPhone users

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.

The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.

Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts — unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.

The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.

The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.

The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.