Flaw in BT Systems Allows Anyone to Add Extra Services to User Accounts

The telecoms company claims it's not really a security hole

By on November 27th, 2012 12:45 GMT

A customer of British telecoms company BT has identified a couple of bugs on bt.com. While the firm rushed to address one of them, the second one – which allows anyone to add extra paid-for services to accounts – remains unfixed.

A BT customer who wished to remain anonymous has informed The Register that the problems exist in the “Phone & Calling Plan” sections of the telecoms firm’s website.

The user has discovered that paid-for services could be added to any landline simply by knowing the owner’s phone number and postal code. This can allow pranksters to inflate the bills of any user simply by possessing information that’s in many cases freely available.

The other problem was found in the same service ordering section of the site.

At the end of the new services ordering process, the customer is allowed to create an account to view his/her online bills. However, the problem was that those who chose to register such an account were directly presented with a pre-filled form that contained the account holder’s full name.

This issue, which exposed the names of landline owners, has been fixed by BT, the company admitting that it shouldn’t have been possible to view the name of the account holder simply by entering their postal code and phone number.

On the other hand, they claim that the bug which allows anyone to add extra paid-for services to accounts is actually a feature.

“Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode,” BT representatives told The Register.

The individual who discovered the problem argues that the phone numbers and postal codes can be found on letterheads and all over the Internet. He believes that the company should at least ask for the BT account number.

Comments