AT&T resolves security flaw allowing unauthorized account takeover

Share post:

AT&T patched a critical vulnerability that might have allowed unauthorized access to consumer accounts on ATT.com. This vulnerability might be exploited simply by knowing the victim’s phone number and ZIP code.

This security flaw was discovered by cybersecurity researcher Joseph Harris, who discovered a way to abuse an account merging function for malevolent reasons. Harris could effectively merge his personal account with any other account by exploiting this vulnerability, providing him complete power and the ability to change the password associated with it.

Harris said that the attack included creating a free ATT.com profile, then going to the “combine accounts” button and selecting “already registered accounts.” The disguised user ID connected with the victim’s account would be disclosed after inputting the victim’s phone number and ZIP code, prompting them to enter their password. Hackers would then intercept the password request and reroute it to accounts under their control using the website’s backend.

An AT&T spokesperson acknowledged the problem and confirmed its resolution through the company’s bug bounty program. They clarified that there is no evidence to suggest that the vulnerability was exploited beyond the scope of the researcher’s testing.

The sources for this piece include an article in TheRecord.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways