A vulnerability has been discovered on AT&T’s website which allows anyone to look up the phone numbers of AT&T subscribers, provided they have the subscriber’s email address. The issue involves a form on AT&T’s site where a subscriber can input their email address in order to recover their forgotten AT&T User ID. Except instead of simply emailing the User ID to the email address provided, the following page reveals the wireless phone number associated with that account.
UPDATE: AT&T says the vulnerability has been removed. See below.
According to security consulting company Errata Security, which reported the problem this morning, it’s clear that AT&T never intended for anyone to abuse this feature - it’s meant to be helpful to those who have simply forgotten their account information. But unfortunately, the feature is incredibly easy to abuse. Not only is it accessible to those without any technical skills, it’s also “trivially easy” for hackers to create a script that will extract useful information, explains Robert David Graham of Errata.
The problem was first unveiled late Friday night in a posting on Reddit (but of course). According to the comments there, some Reddit users have already created working scripts that return a list emails followed by the associated wireless phone number. But the vulnerability seems to be hit or miss, in terms of whether or not it reveals the complete number or any number at all. It doesn’t appear to work for Business Accounts, one commenter noted, but in another case, it worked for someone who wasn’t even an AT&T subscriber anymore.
To see if the hack works for you, visit https://www.att.com/olam/enterEmailForgotId.myworld, enter in an email address, click next, and see if a phone number is returned.
For what it’s worth, it didn’t work for me (an AT&T subscriber), but that may be because it doesn’t seem to work for those who have already established AT&T User ID’s, as I have. At the very least, that should protect some of the potentially affected AT&T subscriber base from having their personal information revealed.
To be clear, for this issue to be a threat, a hacker would have to have your email address in order to retrieve your phone number from the website. These days, however, obtaining lists of personal emails is not hard for hackers to do. Thanks to a number of well-publicized security breaches in recent months, including the most recent attack on YouPorn, there are several lists containing customer email addresses floating around the web. In addition, earlier security breaches on Zappos.com, Sony Playstation’s network, at marketing firm Epsilon (whose customers included TiVo, Walgreens, Disney, HSN, several banks, Marriott and more) and elsewhere, have managed to affect a wide swatch of the U.S. online population.
AT&T itself has faced similar security issues before. In 2010, for example, a security flaw in one of AT&T’s customer-identification scripts allowed hackers to extract as many as 114,000 email addresses of iPad owners.
We’ve reached out to AT&T for confirmation and asked whether or not a fix is underway. We’ll update if/when we hear back.
UPDATE: AT&T says it has removed the vulnerability from the website. Below is a statement issued by an AT&T spokesperson:
“We are dedicated to protecting our customer’s personal information. While the function was intended to help improve customer experience, we have removed it from our site to prevent misuse.”
(Image credits: Errata)