UK Based Firm EE Hit by Two Security Vulnerabilities
As revealed by Tech Crunch, the UK-based telecommunication firm EE, endured recurrent flaws in its online system. In one week, EE fixed two security vulnerabilities that could potentially impact their customers.
In the first instance, EE fixed a bug that let a customer add free unlimited data to their account’s data plan. Using any man-in-the-middle tool such as Burp Suite, it became possible to “gift” to one’s own account by simply capturing the server request and changing the recipient’s contact number with own number. As described by Tech Crunch,
“By making the phone numbers the same, the system could be tricked into duplicating the data allowance without incurring any costs.”
Besides, exploiting this bug could let an attacker gift free data to other linked accounts as well.
A researcher with the alias Spider on Twitter discovered the bug and reported it to Tech Crunch who later brought the matter to the notice of EE authorities. Consequently, EE fixed the glitch within two days.
In the second instance, within the same week, another security researcher approached Tech Crunch reporting another security flaw. It was an even more dangerous bug since it allowed anyone to gain access to the internal website. According to the blog,
“Although the site required an employee username and password to log in, the researcher found that an “admin” account existed, of which anyone with the answer to the secret question could reset the password. It turns out that secret question could have been stronger.”
Tech Crunch reported the matter to EE who fixed the bug within a day by disabling the account.
“This account has now been disabled and we have also changed the password and security question for the account.”
Did EE Attempt to Modulate the Bug’s Severity?
While confirming the fix, Tech Crunch reports that the EE officials commented further about the data security on the site. According to them, the account access could only let an attacker view dummy accounts.
“No customer data is, or has been, at risk as the user account on the training website only gave access to a dummy environment with fake accounts.”
The researcher emphasizes that the bug could result in a massive exploit. Reportedly, the secret question simply asked the eye color, which had a simple answer “brown”. Anyone could crack this answer in a few guesses and could access the site. Through this admin account, the attacker could gain any permission on his account as wanted and could change the settings.
“I didn’t do any of that because of the law. But that doesn’t mean a malicious attacker couldn’t have done it,” says the researcher.
EE is the largest cellular network in the UK having more than 30 million customers across the nation. Fortunately, both the vulnerabilities were fixed prior to any malicious exploitation. However, the firm should take measures to avoid such instances in future. Not to forget the present incident appears right after the report about a massive data breach at T-Mobile exposing 2 million customers’ records to hackers.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.