| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABHXUv1Z_U37Ut2Q4QkgyXEo0V34AaFtfc=df3NQL--HMPttXw@mail.gmail.com> Date: Mon, 17 Sep 2012 09:51:47 -0700 From: Kevin Burke <kevin@...lio.com> To: full-disclosure@...ts.grok.org.uk Subject: Anyone can log into Virgin Mobile USA accounts, read/write customer data Virgin USA requires customers to use a 6-digit PIN on their account, and the phone number for a login. Once an attacker knows your PIN, they can take any action on your account with no restraint. They can also determine whether a phone number is a Virgin Mobile USA number, based on the login information. List of actions possible with someone's login information: - see who you’ve been calling and texting, - change the handset associated with your number, - change your address, your email address, or your password, - purchase a handset on your behalf There is no way for any of their 6 million subscribers to defend against this attack. I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it. Full details of the attack, as well as a history of my communication with Virgin Mobile, are available on my website: http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/ ---- Kevin Burke | 415-723-4116 | www.twilio.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists