I have discovered the following security failure on EE's accounts/billing website. I have reported it as a complaint but thought it prudent to share it here so that folks are aware of the issue and can take steps to avoid it
The issue is that if you log in as User A on EE's website, view/download your mobile phone bill and log out, but someone else logs in as User B immediately after they will have access to view and download User A's bills without having to enter their password, account number or anything else.
I've tested this on two separate PCs with three different EE accounts and all seem to have the same problem. Its very easy to reproduce it:
Step 1: Log in to EE's homepage/accounts page as User A
Step 2: View or download your bill as User A. You will get all of User A's current and former bills and usage
Step 3: Log out as User A from the Profile page. Do not close the browser window after doing this.
Step 4: Log in to EE's homepage/accounts page as User B. You will see User B's landing page and the cost of User B's lates bill
Step 5: When you try and view or download User B's bills, you will instead be given full access to User A's current and former bills and usage just as in step 2.
The only way to avoid this happening it seems is to close your browser after step 3, which then forces the EE website to load the correct bills.
Technical details:
Platform used: Windows 10 PCs. Google Chrome 126.0.6478.57
Date first noticed: 11/06/2024
Date last tested: 12/06/2024 10:30
Can someone please pass this on to EE's website developers ASAP? Its a serious issue given how much personally identifiable information is available from a mobile phone bill.
