Hey all,
I wanted to flag this here as this seems to be a pretty massive security issue with the X1 app/card that people should be aware of.
tl:dr - Re-tried the pre-qualify after previous denial, got directed to dowload the app, did so, put in all my own information, verified my own phone # and email address, was then logged into my wife's X1 account in the app and it automatically updated her email in the app to mine.
Answers to a few questions I'm sure people will ask -
- I have not been added as an additional user on her card at any point, ever.
- I never sent her an invite link and she never sent one to me.
- We do not share a cell phone number or an email address. We are on the same phone plan, and the plan is in my name, but that's it.
- She did not receive a text alert about any of this.
- Her account has never been accessed from my phone in any way, ever - not in the app, not in a browser. She has only ever accessed her account on her own phone.
Ok, here's the longer version of what happened...
I saw here on the forums that the X1 card no longer has a wait list. I did the prequalify a while back and got denied, so figured I'd go see if I might prequalify this time (scores have gone up a lot). I used an incognito window, as I always do, put in my first and last name and DOB. Clicked continue and then put in my email and my phone number. It sent a code to my phone and I put that in. It might have sent an email verification around this time, as well, I can't remember now. Little wheel spun for a second and then popped up a screen saying I didn't need to wait, I could access my card number in the app, and gave me links to the Play Store to download. I thought that was a bit odd at this point in the application, but thought maybe the pre-qualify has to be done thru the app now. Who knows. So, I downloaded the app.
Started the pre-qualify again on the app, and the application popped up in a browser window. Same thing as before - entered my name and DOB, next screen entered my email and phone number, sent me the code, entered that, can't remember on the email verification but probably did that too. Again I got a screen saying I don't need to wait and it gave me a QR code to download the app. Very strange, as I started it in the app this time and still this message.
So, as a last attempt, I thought ok, maybe it saved my info from when I did the pre-qual app the first time and that's why it's being weird. So I clicked that link. It asked for the phone number used on the application, I put mine in. It texted me a code, and I put that in. It asked for my email address, so I put that in. It sent a link to my email to verify, opened my email (still using my phone at this point) and clicked the link. Went back to the X1 app, and I was logged into my wife's account, plain as day. All of her transactions (she's only had the card for a week or two), her account balance, everything was there in the app on my phone where I was now logged in as her, using ONLY MY INFO to get there.
I logged out of her account and then went through those last steps a second time, because I wanted screenshots of every single step, including all the info I entered, so there is zero doubt about what happened. I then immediately messaged my wife at work to let her know and sent her the screenshots. She checked her app and sent me a screenshot back showing that it now has MY email address as the one associated with her account. She locked her card (becuase this is a massive security issue) and I uninstalled the app. I don't want it on my phone and I definitely do not want this card now.
The only thing I can come up with is that this is somehow tied to us being on the same cell phone plan, and because the plan is in my name it associated my info with hers for the card/app. Even if that is the case, this is still a HUGE security issue for X1. People share phone plans all the time, but that doesn't mean you want the owner of the plan (or anyone else on it, possibly?) to have the ability to log into your X1 account. The fact that the card number is available in the app and can be used via the app just makes this all the more frightening. And I'm absolutely shook that she wasn't immediately notified of a login from a new device or that her email had been updated in the app.
Waiting on my wife to get home now and then we'll figure out what's next. She wants to close the card over this, and I can't say I blame her.
Will update if/when there's more to report, but wanted ya'll to be aware.
ETA: This issue has been reported to X1, along with the screenshots.
@CreditCuriosity wrote:Report it to them?
Yep, this has been reported to them. First thing DW did when she got home. Will see what the response is.
Now that I think about it, I'm not 100% certain that my previous (denied) application plays into this at all, as none of the information I gave them matches what DW gave when she was approved, with the exception of us having cell phone #s on the same plan, a shared bank account that I did not link, but she did, and our physical address, which was not asked for at any point during this "sign in" process today.
My wife and I do have a shared checking account that she linked during the application (she has funds deposited into it, of course. We both do). However, I never got to the point of sharing my accounts via Plaid, as I was denied before this step, so I don't think this is the link here. They wouldn't have my linked bank account info, because I never submitted it.
I'm genuinely curious if this could be repro'd by other people who:
- Are on a shared cell phone plan (we're on T-Mobile) with someone who currently has an open X1 account
- Does not also currently have an open X1 account
I'm worried that anyone on the same cell phone plan can currently gain access to the X1 accounts of anyone on that same phone plan. Maybe it's only the cell phone account owners? Regardless, this is still not good.
If anyone meeting the above criteria is willing to test this out, I'd be very interested in the DP. But also fully understand if this is too far and no one wants to check this, because WTAF. Scary.