EE, the largest phone network in the UK, has fixed a website bug that allowed customers to add an unlimited amount of plan data to their accounts for free.
The bug allowed any customer to top up their plan’s data allowance at no cost by modifying code on the customer’s account page that allows users to “gift” data to linked accounts.
Using man-in-the-middle tools like Burp Suite, it was possible to intercept the server request and swap out the recipient’s phone number with their own. By making the phone numbers the same, the system could be tricked into duplicating the data allowance without incurring any costs.
It was also possible to gift data to other connected accounts for free.
A pseudonymous security researcher who goes by The Infosec Spider contacted TechCrunch with details of the bug, which we reported to EE.
The company said in a statement that it fixed the bug within two days, and thanked the researcher.
“Our customer data was never at risk as users could only increase the data on their own plan, or another number associated with their account, after they successfully logged into their account,” said an EE spokesperson.
But the researcher said that the bug could have been exploited to defraud the phone giant.
It’s the second bug found by the security researcher to affect EE this year. In May, the researcher found a company code repository online with a default password. In a separate security incident, EE also exposed the private keys for its Amazon Web Services instances because of a flawed deployment of its Jira bug tracking system.