A report released by BuzzFeed, a news aggregator, said that the security vulnerability of the Apple website and mobile insurance company Asurion website exposed the PIN code of more than 72 million iPhone users.
The vulnerability in Apple’s website exposed the iPhone PIN of wireless carrier T-Mobile users, while the security vulnerability on Asurion’s website exposed the iPhone PIN of AT&T users. After the security report was posted on the BuzzFeed website, Apple and Asurion immediately took emergency remedies to fix the vulnerabilities discovered by security researchers Phobia and Convict.
There is an account authentication page on the Apple website that asks the user to enter the T-Mobile phone number and PIN code or social security card number, which may allow hackers to make numerous attempts. The other three mainstream operators in the United States protect the security of user accounts by limiting the number of inputs.
Security researcher Convict said the problem might be due to engineering errors when the T-Mobile API (application programming interface) was connected to the Apple website. The Asurion website vulnerability allows hackers who know the wireless carrier’s AT&T mobile phone number to access another form that requires the user to enter a PIN code. As with Apple’s web pages, this form requesting a PIN code has no input limit.
Apple’s security breach has nothing to do with T-Mobile’s recent server intrusion incident, which exposed the personal information of approximately 3% of subscribers to the wireless carrier.