May 24, 2023
AT&T patched a critical vulnerability that might have allowed unauthorized access to consumer accounts on ATT.com. This vulnerability might be exploited simply by knowing the victim’s phone number and ZIP code.
This security flaw was discovered by cybersecurity researcher Joseph Harris, who discovered a way to abuse an account merging function for malevolent reasons. Harris could effectively merge his personal account with any other account by exploiting this vulnerability, providing him complete power and the ability to change the password associated with it.
Harris said that the attack included creating a free ATT.com profile, then going to the “combine accounts” button and selecting “already registered accounts.” The disguised user ID connected with the victim’s account would be disclosed after inputting the victim’s phone number and ZIP code, prompting them to enter their password. Hackers would then intercept the password request and reroute it to accounts under their control using the website’s backend.
An AT&T spokesperson acknowledged the problem and confirmed its resolution through the company’s bug bounty program. They clarified that there is no evidence to suggest that the vulnerability was exploited beyond the scope of the researcher’s testing.
The sources for this piece include an article in TheRecord.
