BT website lets anyone upgrade your phone package
"Convenience" feature allows BT accounts to be saddled with paid-for extras without entering security details
BT's website allows anyone to add paid-for extras to your phone package, using nothing more than your phone number and postcode.
The flaw, discovered by a reader of The Register, allows landline tariffs to be upgraded with various call packages and features such as caller display, without having to once enter a login or password.
Instead, all the user has to enter is the landline number and postcode, which is freely available from sources such as BT's own Phone Book site. It raises the possibility that costly extras could be added to customers' accounts without their knowledge.
BT's Unlimited Anytime Plus costs an extra £8 per month, for example, while adding five calling features can add another £8.40 per month to customers' bills.
BT was unable to comment to PC Pro at the time of publication, but a spokesperson for the company told The Register it wasn't a security hole. "Different levels of security apply to different products," the spokesman said. "Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode."
A further bug, which displayed the name of the primary account holder at the end of the account upgrade process, has been fixed.