Flaws in Apple & Asurion websites expose PINs of millions of iPhone users
Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.
The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.
Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts -- unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.
The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.
The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.
The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.
The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.
Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts -- unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.
The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.
The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.
The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.
Comments
In fact, if I read this correctly, the flaw could potentially allow someone to brute force a PIN on a given phone number. It doesn’t make any claims about this actually happening to anyone.
I’d be curious if there are numbers that show how many people had a PIN stolen. Surely they would know, as they’d get a request from a customer trying to regain access to their account or complaining about fraud. If an unusually higher than normal number of customers contacted them in a short period of time over similar account issues, then that would tip them off that there was some type of security breach. If the numbers haven’t changed then it’s likely this exploit wasn’t utilized.
They weren’t visible. You could brute force to find a PIN, but it’s not there for people to look at. So not “exposed”.
2. The SIM is a token, and the SIM PIN is a second factor. The issue is here that it was designed to be used in a closed loop system controlled by the carrier. Phone numbers historically have been public information & were published in phone books.
3. The original inter s SIM + PIN was for access to carrier services only. The mistake of using a phone number as an IDENTITY is not JUST the carriers fault - it is a market wide problem across multiple sectors. There’s a reason why your mobile number is not trusted as proof of identity for a drivers licence or passport application. See 2.
4. So we have something being used outside it’s original intent and risk profile being found to be inadequate for a different risk profile associated with a different an totally unplanned for use-case . That’s not exactly unexpected as a consequence.
5. The blockchain does not help here. It just means anyone/everyone now gets a cryptographically signed phonebook, that can be changed arbitrarily by 51% of the people listed in it if they work together . That is likely not fit for purpose for identity from a single issuer (the carrier)
Yes, that’s a very good point, and it really depends how the API is written and how Apple was instructed to use it.
The API it might not be able to detect where the original request came from – only that it is receiving a request from the Apple site.
Yes, I have to agree that “exposed” is the wrong term. The correct term would be “vulnerable to a brute force attack”.
This is a pretty basic mistake, unlike some arcane workarounds that get through.
from The American Heritage® Dictionary of the English Language, 4th Edition:
transitive v. To subject or allow to be subjected to an action, influence, or condition: exposed themselves to disease; exposed their children to classical music.
Huh. Expose has more than one meaning. Whodda thunk it. Adding a rate limiter (in any form) would seem to help prevent someone's PIN from being subject to a brute forced.