⚠️ AT&T Account Reset Vulnerability

Status
Not open for further replies.

hubz

Banned
Banned
Member
Joined
Threads
21
Posts
23
This member is banned. Please avoid dealing with banned members.
This proof-of-concept (PoC) program demonstrates how an attacker could
abuse AT&T’s password reset workflow.

You must reply to see the hidden content. Consider upgrading your account to increase your reply limit.


Sorry for not posting for a while came accross this its pretty cool

Summary:
The program uses C# with HttpClient to automate interaction with AT&T’s
account reset service. It retrieves the reset page, parses out hidden
ASP.NET form fields required for validation, and then resubmits them with
user-supplied credentials in a POST request to simulate a password reset.
How it works:
1. Initial Request:
- The program makes an HTTP GET request to the reset page at:

- It retrieves the response and extracts critical hidden fields:
__VIEWSTATE, __VIEWSTATEGENERATOR, and __EVENTVALIDATION.
- These values are required by ASP.NET WebForms to validate any
form submission.
2. Authentication Step:
- Using the extracted values, the program constructs a POST request
that includes personal data (UID, last name, employee ID, date of
birth, city of birth, PIN, and secret answer).
- This request attempts to validate the user against the backend system.
3. Password Reset Step:
- If authentication is successful, the program prepares a second
POST request to:

- This request submits a new password, city of birth, recovery email,
and PIN to complete the reset.
- The response is parsed for indicators of success or failure (e.g.,
"Your Password will be reset").
4. Configuration:
- The sensitive user information (UID, DOB, PIN, etc.) is loaded from
a local JSON configuration file (config.json), making the tool easy
to re-use with different accounts.
Impact:
This automation bypasses the intended "human in the loop" process by
programmatically submitting reset requests. If misused, this approach
could enable large-scale automated attempts against AT&T accounts,
leading to unauthorized account access.
Important Note:
This code is provided for security reporting purposes only. It is not
intended for malicious use. No real accounts were accessed in preparing
this proof-of-concept.
 
Status
Not open for further replies.