AT&T resolves security flaw allowing unauthorized account takeover

AT&T patched a critical vulnerability that might have allowed unauthorized access to consumer accounts on This vulnerability might be exploited simply by knowing the victim’s phone number and ZIP code.

This security flaw was discovered by cybersecurity researcher Joseph Harris, who discovered a way to abuse an account merging function for malevolent reasons. Harris could effectively merge his personal account with any other account by exploiting this vulnerability, providing him complete power and the ability to change the password associated with it.

Harris said that the attack included creating a free profile, then going to the “combine accounts” button and selecting “already registered accounts.” The disguised user ID connected with the victim’s account would be disclosed after inputting the victim’s phone number and ZIP code, prompting them to enter their password. Hackers would then intercept the password request and reroute it to accounts under their control using the website’s backend.

An AT&T spokesperson acknowledged the problem and confirmed its resolution through the company’s bug bounty program. They clarified that there is no evidence to suggest that the vulnerability was exploited beyond the scope of the researcher’s testing.

The sources for this piece include an article in TheRecord.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web