Anyone can log into Virgin Mobile USA accounts, read/write customer data

[Kevin Burke <kevin () twilio com>]

Virgin USA requires customers to use a 6-digit PIN on their account,
and the phone number for a login. Once an attacker knows your PIN,
they can take any action on your account with no restraint. They can
also determine whether a phone number is a Virgin Mobile USA number,
based on the login information.

List of actions possible with someone's login information:

- see who you’ve been calling and texting,
- change the handset associated with your number,
- change your address, your email address, or your password,
- purchase a handset on your behalf

There is no way for any of their 6 million subscribers to defend
against this attack. I contacted Virgin Mobile over a month ago about
the issue and they have refused to fix it.

Full details of the attack, as well as a history of my communication
with Virgin Mobile, are available on my website:

http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/

----
Kevin Burke | 415-723-4116 | www.twilio.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/