Bitterwallet reader exposes security flaw in BT website

11 November 2010

A security flaw on BT's website allows anyone to assume the identity of a BT customer, and have them charged hundreds of pounds. Bitterwallet reader Ray has sent us details of the steps required to view any customer's current BT package and register an online account in their name. From there, a person is able to set up new packages for the unsuspecting customer - including one-off charges for a year's line rental.

We tested the method sent to us by Ray and can confirm it is genuine. With only a BT customer's phone and postcode, we were able to view a friend's current account options:

Bitterwallet - BT security flaw 1
Call packages could be changed, international options could be added and we could choose to have our friend charged a year's line-rental in a one-off payment, a charge that would be made within 24 hours:

Bitterwallet - BT security flaw 2

We were then prompted to register online as a new customer, with BT seemingly associating the registration details we gave with the phone number supplied, with no other security checks being carried out:

Bitterwallet - BT security fail 3

Finally, we confirmed the changes and received a confirmation number:

Bitterwallet - BT security fail 4

When Ray tried to raise the issue with BT, nobody seems interested: "I asked them to call me back instead of me waiting for another hour on the phone to inform them of their problem. I've still received no call." Bitterwallet has contacted BT this morning and are waiting to hear back about the issue.

25 comments

  • Loz
    Not at all surprised, I've long found BT's website to nicely represent the company as a whole - ie. one which doesn't know its arse from its elbow and which treats its customers with utter disdain.
  • Victor M.
    I Dont believe it!! I actually just tried this out there now, kind of scary. The good news is that anybody has changed their calling plan they can just wait for the bill, refuse to pay it, and deny that they ever changed it in the first place. And this just confirms how easily this can be done. Thanks Bitterwallet!!!
  • Ray
    Thanks Paul. At least bitterwallet takes this seriously, as its quite clear BT don't. Cant wait for all those BT customers to get refunds on all the services they didn't order, or that BT can't prove that they ordered. Serves the buggers right. I did try and inform them of the problem. They didnt want to know.
  • hippy
    Is this not a violation of the data security act along with a violation of the trust people have with such a large company that been going since the dawn of the telephone. If only they spent money paying a coder to implement a proper security system instead of adverts about the lottery for fiber optic broadband.
  • Daniel
    ouch!
  • PlatinumPlatypus
    BT really don't care about their customer's data do they? First the Infinity mailing list incident, and now this which is several orders of magnitude more serious.
  • Ray
    I thought there would be a lot more interest in this post, being as it effects every single person with a BT account. BBC watchdog anyone?
  • BT S.
    [...] to any subscriber’s account and permits changes to tariffs, paid extras to be added and more. BitterWallet were tipped to the flaw – which has not been published – and tested it, finding that [...]
  • BT T.
    [...] to any subscriber’s account and permits changes to tariffs, paid extras to be added and more. BitterWallet were tipped to the flaw – which has not been published – and tested it, finding that [...]
  • Ray
    Fantatstic! - SlashGear, Technews - the more the merrier Bitterwallet getting some well deserved credit :-)
  • Tim
    Whilst commendable to highlight the issue, I think it's a really bad idea to publish how to do it!! If my BT account is hacked I may be after you for damages!
  • ray
    Beleive me, there's no need to publish how to do it at all. I've not done anything complicated at all. Simply logged on to their CRAP webpage. There is no hacking involved here at all. This is "Flaw" is just plain crap programming, allowing everyone and their dog access to YOUR personal details. They need to named and shamed. this is totaly unacceptable not to mention illegal.
  • Jim
    i've just had someone place an order on my line. They have rang me and claimed bitterwallet have given them instructions on how to do this. I'm not happy.
  • PokeHerPete
    WTF IS DIS SHIT? Don't companies ever have specifications for their services and security reviews? Bet they just outsourced to some Indians for £50 on RentACoder.
  • Brandon H.
    Can this still be done if the number in question has already been registered as an online account, or can this method allow people to hack it so that they can register with a number that already has an online account set up.
  • Brandon H.
    Surely common sense would dictate that BT should phone anyone who makes a change to their plan if they already have a number, thus confirming the real user so BT don't get complaints. I think the method will still work even if the user has signed up for the online account with their phone number as i've just tried, i daren't click any further to see what happens as i dont want to add to my damn bill by adding something as an experiment.
  • chalky
    I tried this when I read the post on hukd, it works on online accounts. Just went to check on updates to find the post had been spammed, glad to see it in here. Has there been a reply from BT yet? Let me guess, No. How much commission do the call centre staff get for upgrading you to an expensive call package? How much compensation are BT paying for disclosing private details to all and sundry. Eg the number I tested had paid a year upfront rent.
  • spuddy
    ok I've slept on it. The neighbour who is paying top dollar for all free callspackage , gonna change his package to zero free calls and wait for his bill to arrive.
  • Mr S.
    Yep, still works. Allow me to be the first here to say: WTF DIS IS REAL!!!11!!!
  • Paulo
    It really is a wonder that anyone trusts BT with their data at all. Guys/Gals, this is BT we're talking about here. This is the "Trusted" communications company that has abused their customers' data for years: 1) They covertly, purposefully, secretly, in a "stealth" manner, installed software and hardware into their customer network, to monitor customer communication data, so they could classify their customers' browsing habits on the internet. All without consent of their customers and without consent of the websites they visited. All in order to trial making a profit out of snooping on people. Called Webwise, and provided by a company well known for their history of Adware and unwanted software installed in a stealthy manner on peoples' PCs - something which companies like Symantec then created detection and removal routines for. UNTRUSTED - COUNT 1. 2) They continued to claim, after being caught with Webwise running, that it was legal and was going to be rolled out. The company behind the Webwise technology (with links to Russia spyware coders) created web pages that were designed to smear campaigners against them. The pages contained lies about individuals and lies about the UK government and their actions in connection with the issue. UNTRUSTED - COUNT 2. 3) They leaked personal data from their customer web forums, resulting in customer details including email addresses, being public and cached on sites such as Google. UNTRUSTED - COUNT 3. 4) BT does not allow their customers to discuss issues of data security or privacy, if it is related to their usage of BT as a communications provider. They state this very clearly in the terms and conditions of their web forums. They have deleted whole threads and individual posts. They have banned individuals rather than refute their claims with evidence to the contrary. UNTRUSTED - COUNT 4. 5) BT has begun running DNS hijacking. Again, interception and altering the communication content without customer consent. They offer a way to "Opt Out" but this is not permanent. They offer an "Opt Out" but they do not "require" and explicit and informed consent "OPT IN" from customers. This is contrary to decent moral principles and should also be illegal. UNTRUSTED - COUNT 5. 6) There's more. Their altering of BT provided equipment (e.g. Broadband ROuters or Vision Boxes) without explicit consent. They can update/change the sotware on those things and they do not say when they do it, why or what the changes are. UNTRUSTED - COUNT 6. 7) The issue above where anyone with a little data can access a BT account like this... UNTRUSTED - COUNT 7. They do not care at all. Customers are numbers. Customers are nothing but a revenue stream to BT, and anything they can do to increase the money they make from them will be done. The law or decent principles do not come into play. They have stated very clearly in the past: "We take your privacy very seriously". Does anyone REALLY believe they do? Use BT for internet? Get a MAC code and leave BT (and avoid Virgin Media who like CView/Webwise and avoid TalkTalk with their STalkSTalk system) Use BT for Phone? Why would you, change to a better provider.
  • Zleet
    If not as someone else pointed out get BT to call you to confirm changes why not have a unique identifier that is needed to be able to change anything? Either a private user number issued by BT or the last five digits of the bank account number used to pay for it (or something).
  • Hamish w.
    Damn I check all my bank and financial details on a DAILY basis after being cloned once now I will have to check my B***** T**** account as well
  • Skinheed
    Good ole BT, eh? Nice to know they're taking this seriously...
  • HIM
    hmmmmm - doesn't appear to be the case anymore - just tried this and it asks for the account number - not the phone number - please update
  • Blog
    Great Blog... Pretty intresting but i do have one question.. ? do you have other sites like this?

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment