The cybersecurity researchers Nicholas Ceraolo and Phobia have revealed chinks in the security of the Apple online store that has exposed the account PINs of customers of T-Mobile. This flaw could let a potential cybercriminal to obtain the account PINs by simply applying the brute-force method.
The security flaw has affected around 77 million of T-Mobile’s customers by revealing their PINs online. Nicholas Ceraolo has said that the store’s flaw could be the resultant of an engineering error that may have occurred when T-Mobile’s account validation was being connected to the Apple Online Store.
Reportedly there is a web page that you go through while purchasing an iPhone that would let you make unlimited attempts at guessing the account PIN or the SSN. Hence, an attacker can run through the four-digit PINs since there is no limit to how many times one can try. And once the attacker guesses the PIN, he can use it to hijack the victim’s SIM card and phone number.
AT&T has encountered a similar vulnerability where Asurion’s website had a security flaw that revealed the PINs of its customers.