AT&T Fixes Vulnerability Allowing Account Hijacking

AT&T has fixed a vulnerability on its ATT.com website that allowed any attacker to take over someone else’s account, knowing only the victim’s phone number and zip code.

The problem was discovered by cybersecurity researcher Joseph Harris earlier this year. Harris found a way to use the account merging feature for malicious purposes. The essence of the vulnerability was that the hacker could actually merge his own account with any other, having the opportunity to change the password from the victim’s account and take control of it.

According to Harris, the flaw could allow an attacker to perform SIM swapping (SIM Swapping), change any data of the victim, manage account services and much more.

An AT&T spokesperson confirmed the problem and stated that the vulnerability was promptly fixed through a bug bounty program (Bug bounty). The spokesperson also added that there is no evidence that the bug was exploited by anyone other than the researcher.

How the vulnerability works

After creating a free profile on ATT.com, a hacker could go to the “merge accounts” tab and select “already registered accounts.” After entering the victim’s phone number and zip code, their hidden user ID would appear and a password was required. The attacker could then intercept the password request and use the site’s backend to redirect the password request to their account.

The $750 bounty from AT&T for finding the bug seemed insufficient to Harris, given the severity of the problem, the ease of operation, and the fact that AT&T is one of the largest telecommunications companies in the world.

AT&T did not respond to requests for comment on the rewards, but several security experts backed Harris that the problem was worth more than he was paid. Among the experts was Roger Grimes of KnowBe4. He noted that similar problems continue to be repeated at the largest telecom operators – AT&T, T-Mobile and Verizon.

Harris cited repeated security breach announcements from all three major US telecom operators over the past 5 years as evidence that SIM swapping is still a popular attack method for cybercriminals. Harris noted that if a real hacker or group exploited the vulnerability, “there would be massive chaos.”