EE account website security failure: Able to view other user bills
- Mark as unread
- Bookmark
- Subscribe
- Mute
- Subscribe (RSS)
- Permalink
- Print this post
- Report post
12-06-2024 10:57 AM
I have discovered the following security failure on EE's accounts/billing website. I have reported it as a complaint but thought it prudent to share it here so that folks are aware of the issue and can take steps to avoid it
The issue is that if you log in as User A on EE's website, view/download your mobile phone bill and log out, but someone else logs in as User B immediately after they will have access to view and download User A's bills without having to enter their password, account number or anything else.
I've tested this on two separate PCs with three different EE accounts and all seem to have the same problem. Its very easy to reproduce it:
Step 2: View or download your bill as User A. You will get all of User A's current and former bills and usage
- Mark as unread
- Bookmark
- Subscribe
- Mute
- Subscribe (RSS)
- Permalink
- Print this post
- Report post
12-06-2024 12:54 PM
Welcome to the community.
We had a similar report about this which we raised to the web team for investigation. I've passed on your experience too, to help them identify the issue.
Chris
- Mark as unread
- Bookmark
- Subscribe
- Mute
- Subscribe (RSS)
- Permalink
- Print this post
- Report post
12-06-2024 08:49 PM
Hi,
Thanks for the update. EE have contacted me earlier today and have taken the details of the fault and have reported it as a "data breach". Hopefully EE can sort this issue out ASAP as its a worrying security lapse
