{"id":42402,"date":"2018-08-25T00:22:40","date_gmt":"2018-08-25T00:22:40","guid":{"rendered":"https:\/\/appleinsider.com\/articles\/18\/08\/24\/flaws-in-apple-asurion-websites-expose-pins-of-millions-of-iphone-users"},"modified":"2018-08-25T00:22:40","modified_gmt":"2018-08-25T00:22:40","slug":"flaws-in-apple-asurion-websites-expose-pins-of-millions-of-iphone-users","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2018\/08\/25\/flaws-in-apple-asurion-websites-expose-pins-of-millions-of-iphone-users\/","title":{"rendered":"Flaws in Apple &amp; Asurion websites expose PINs of millions of iPhone users"},"content":{"rendered":"<p><!-- font size selector, BEGIN --> <span class=\"cfix\">\u00a0<\/span> <\/p>\n<p class=\"gray small byline\"> By <a href=\"mailto:rfingas@gmail.com\">Roger Fingas<\/a> <br \/><span class=\"gray\">Friday, August 24, 2018, 05:22 pm PT (08:22 pm ET)<\/span> <\/p>\n<p> <span><span class=\"article-leader\">Although already fixed, security vulnerabilites at Apple&#8217;s online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.<br \/><\/span><\/p>\n<div align=\"center\">\n<div class=\"article-img\"><img decoding=\"async\" src=\"http:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2018\/08\/flaws-in-apple-asurion-websites-expose-pins-of-millions-of-iphone-users.jpg\" alt=\"Hacked\" height=\"495\" class=\"lazy\" \/><img decoding=\"async\" src=\"http:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2018\/08\/flaws-in-apple-asurion-websites-expose-pins-of-millions-of-iphone-users-1.jpg\" \/><\/div>\n<p><span class=\"minor2 small gray\"><\/span><\/div>\n<p>The Apple vulnerability exposed the PINs of &#8220;over 72 million&#8221; T-Mobile subscribers, <em>BuzzFeed News<\/em> <a href=\"https:\/\/www.buzzfeednews.com\/article\/nicolenguyen\/tmobile-att-account-pin-security-flaw-apple\">claimed<\/a>. Asurion is noted to have had a separate flaw, affecting the PINs of AT&amp;T customers.<\/p>\n<p>Both Apple and Asurion remedied the situation after <em>BuzzFeed<\/em> shared findings from security researchers &#8220;Phobia&#8221; and Nicholas &#8220;Convict&#8221; Ceraolo. In Apple&#8217;s case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts \u2014 unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.<\/p>\n<p>The problem may have been an engineering mistake made when linking a T-Mobile API to Apple&#8217;s website, Ceraolo said. <\/p>\n<p>The Asurion vulnerability let people who knew an AT&amp;T user&#8217;s phone number obtain access to another form asking for their PIN, which like Apple&#8217;s page lacked a rate limiter.<\/p>\n<p>The Apple flaw is unrelated to a <a href=\"https:\/\/appleinsider.com\/articles\/18\/08\/24\/personal-data-of-two-million-customers-swiped-in-t-mobile-breach\">T-Mobile server breach<\/a> which exposed some of the personal information of about 3 percent of the carrier&#8217;s subscribers. That attack took place on Aug. 20.<\/p>\n<p><\/span> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 By Roger Fingas Friday, August 24, 2018, 05:22 pm PT (08:22 pm ET) Although already fixed, security vulnerabilites at Apple&#8217;s online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday. The Apple vulnerability exposed the PINs of &#8220;over 72 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":42403,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[155],"class_list":["post-42402","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apple-insider","tag-iphone"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/42402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=42402"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/42402\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/42403"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=42402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=42402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=42402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}