BreachExchange mailing list archives
Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked
From: security curmudgeon <jericho () attrition org>
Date: Tue, 18 Sep 2012 00:16:39 -0500 (CDT)
---------- Forwarded message ---------- From: InfoSec News <alerts () infosecnews org> http://www.wired.com/threatlevel/2012/09/virgin-mobile/ By Ryan Singel Threat Level Wired.com 09.17.12 Virgin Mobile U.S. promises its customers that it uses ?standard industry practices? to protect its customers? personal data -- but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber?s account, see who they call and text, register a different phone on the account and even purchase a new iPhone. That?s according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint. Virgin Mobile U.S. account security uses a customer?s phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password -- which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes ? something Burke confirmed by writing a short script to guess his own password in a day. Once an unauthorized user is in, they can change read a customer?s communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account -- without notification to the previous address. [...] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked security curmudgeon (Sep 19)