BT web flaw allows unauthorized account tampering

By Chris Davies/Nov. 11, 2010 10:04 am EST

A security loophole has been identified in UK telecoms company BT's online management system, which potentially allows access to any subscriber's account and permits changes to tariffs, paid extras to be added and more. BitterWallet were tipped to the flaw – which has not been published – and tested it, finding that with only a friend's postcode and phone number they were able to access his account.

"Call packages could be changed, international options could be added and we could choose to have our friend charged a year's line-rental in a one-off payment, a charge that would be made within 24 hours" BitterWallet

Although BT required a new online account be created, the system accepted the borrowed phone number and associated it with the new details; no further identification was demanded. BT is yet to respond to requests for an official comment.

[via Twitter]