Full Disclosure mailing list archives
Anyone can log into Virgin Mobile USA accounts, read/write customer data
From: Kevin Burke <kevin () twilio com>
Date: Mon, 17 Sep 2012 09:51:47 -0700
Virgin USA requires customers to use a 6-digit PIN on their account, and the phone number for a login. Once an attacker knows your PIN, they can take any action on your account with no restraint. They can also determine whether a phone number is a Virgin Mobile USA number, based on the login information. List of actions possible with someone's login information: - see who you’ve been calling and texting, - change the handset associated with your number, - change your address, your email address, or your password, - purchase a handset on your behalf There is no way for any of their 6 million subscribers to defend against this attack. I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it. Full details of the attack, as well as a history of my communication with Virgin Mobile, are available on my website: http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/ ---- Kevin Burke | 415-723-4116 | www.twilio.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Anyone can log into Virgin Mobile USA accounts, read/write customer data Kevin Burke (Sep 18)