Skip to navigation
Latest News

BT website lets anyone upgrade your phone package

BT home phone

By Barry Collins

Posted on 27 Nov 2012 at 09:16

BT's website allows anyone to add paid-for extras to your phone package, using nothing more than your phone number and postcode.

The flaw, discovered by a reader of The Register, allows landline tariffs to be upgraded with various call packages and features such as caller display, without having to once enter a login or password.

Instead, all the user has to enter is the landline number and postcode, which is freely available from sources such as BT's own Phone Book site. It raises the possibility that costly extras could be added to customers' accounts without their knowledge.

BT's Unlimited Anytime Plus costs an extra £8 per month, for example, while adding five calling features can add another £8.40 per month to customers' bills.

BT was unable to comment to PC Pro at the time of publication, but a spokesperson for the company told The Register it wasn't a security hole. "Different levels of security apply to different products," the spokesman said. "Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode."

A further bug, which displayed the name of the primary account holder at the end of the account upgrade process, has been fixed.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Explains why....

Makes sense... I just had the joy of cancelling a call package on our ADSL lines that no-one here authorised... even then it took BT a while to understand that despite it being good for other clients it was pointless for us (we don't have phones on our adsl lines) and would end up costing us alot more due to the minimum spend requirement in the package contract.

They couldn't even tell me who authorised it.

By JmLing on 27 Nov 2012

Ok so it's not a security hole, it's a hole they dug themselves into.

Seriously, who came up with this because right now it sounds like the plot from a sitcom, not a major services provider.

By tech3475 on 27 Nov 2012

Usual BT practise

I've had calls made to my home address from BT. They ask to speak to the bill payer but if not there anybody will do. When I got the paperwork to find I'd been put on this restricted tariff (one of those that automatically adds 12 months to your account) it was too late to cancel. A few stern words to BT soon got it revoked but the practise stinks.

By gogoguy on 27 Nov 2012

As the advert (nearly) goes.. (not for BT)

I don't have a BT line. Can I have an upgrade?

I would hope not.

By BornOnTheCusp on 27 Nov 2012

Not sure what's more shocking

The security hole exists in the first place, or that BT doesn't consider it a security hole.

If somebody is able to genuinely order something online, then they are able to login with a password to do so - the people who could only enter a postcode and phone number wouldn't choose to genuinely upgrade their account online anyway.

By halsteadk on 29 Nov 2012

Leave a comment

You need to Login or Register to comment.



Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.