Good example: AT&T fixes critical security flaw after being reported through bug bounty
Take action: Let's celebrate good examples: AT&T invited responsible disclosure, and promptly addressed the reported issue thus avoiding a much more expensive problem. Even if you don't have a budget for bug bounty, a responsible disclosure program will help you.
Learn More
AT&T has addressed a critical vulnerability on ATT.com, which could have potentially allowed unauthorized individuals to access consumer accounts. This security flaw, brought to light by cybersecurity researcher Joseph Harris, involved the exploitation of an account merging feature for malicious purposes. By leveraging this vulnerability, an attacker could merge his own personal account with any other account, granting him complete control and the ability to change associated passwords.
The attack method involved creating a free ATT.com profile and then utilizing the "combine accounts" function, specifically selecting "already registered accounts." By inputting the victim's phone number and ZIP code, the disguised user ID linked to the victim's account would be revealed, prompting the victim to enter their password. However, hackers could intercept the password request and redirect it to accounts they controlled through the website's backend.
AT&T promptly acknowledged the issue and addressed it through their bug bounty program. They clarified that there is no evidence to suggest the vulnerability was exploited beyond the researcher's testing.
