Back in June EE announced that it was going to let customers start gifting their unused monthly data to family members, giving it a new lease on life and preventing it from going to waste. But it seems that system had a pretty critical bug that would have let customers add an unlimited amount of data to an account without having to pay for it. As ever, the first we got to hear of it was after it's been fixed.
The thing about this bug was that it isn't the kind of thing just anyone could do by accident. It involved man-in-the-middle tools that intercepted server requests and let users switch recipient phone numbers with their own. That effectively let them duplicate the data allowances without having to pay any money. It was also possible to gift free data to other numbers, provided they'd already been linked to the original account.
This bug was spotted by security researcher The InfoSec Spider who reported it to TechCrunch. TechCrunch then passed the information onto EE, who had fixed the issue less than two days later. An EE spokesperson emphasised that the bug didn't actually put any user information at risk:
“Our customer data was never at risk as users could only increase the data on their own plan, or another number associated with their account, after they successfully logged into their account."
Naturally things could have been a lot worse for the network, especially given how much it charges for extra data. If this sort of thing had become public knowledge, who knows how many people would have tried to exploit it. This is why bug bounties exist, and are a good thing. [TechCrunch]