Bitterwallet reader exposes security flaw in BT website
A security flaw on BT's website allows anyone to assume the identity of a BT customer, and have them charged hundreds of pounds. Bitterwallet reader Ray has sent us details of the steps required to view any customer's current BT package and register an online account in their name. From there, a person is able to set up new packages for the unsuspecting customer - including one-off charges for a year's line rental.
We tested the method sent to us by Ray and can confirm it is genuine. With only a BT customer's phone and postcode, we were able to view a friend's current account options:
Call packages could be changed, international options could be added and we could choose to have our friend charged a year's line-rental in a one-off payment, a charge that would be made within 24 hours:
We were then prompted to register online as a new customer, with BT seemingly associating the registration details we gave with the phone number supplied, with no other security checks being carried out:
Finally, we confirmed the changes and received a confirmation number:
When Ray tried to raise the issue with BT, nobody seems interested: "I asked them to call me back instead of me waiting for another hour on the phone to inform them of their problem. I've still received no call." Bitterwallet has contacted BT this morning and are waiting to hear back about the issue.