Tuesday, July 03, 2007

Manage Your BT Account Insecurely Online

Via heise Security News.

Two independent sources that wish to remain anonymous have reported to heise Security that BT's online account management service has a serious flaw. Apparently, anyone in possession of basic information available from a printed phone bill can create a profile from which they can inspect and manage your telephone account, even if you already make use of this service yourself.

A profile can be created merely by providing a user name, password and email address. Although the structure of the email address is validated, no check is made (e.g. by an emailed mandatory confirmation code) that the email address is real. However, it gets worse. Having created a profile, it appears that any telephone service account can be added to it merely by entering the phone number and the BT account number, both of which appear on every printed bill. No check is apparently made whether another profile already exists with access to the given account information, or even that the profile user name matches the billing account name.

More here.

0 Comments:

Post a Comment

<< Home