[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Anyone can log into Virgin Mobile USA accounts, read/write customer data

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Anyone can log into Virgin Mobile USA accounts, read/write customer data
From: Kevin Burke <kevin@xxxxxxxxxx>
Date: Mon, 17 Sep 2012 09:51:47 -0700

Virgin USA requires customers to use a 6-digit PIN on their account,
and the phone number for a login. Once an attacker knows your PIN,
they can take any action on your account with no restraint. They can
also determine whether a phone number is a Virgin Mobile USA number,
based on the login information.

List of actions possible with someone's login information:

- see who you’ve been calling and texting,
- change the handset associated with your number,
- change your address, your email address, or your password,
- purchase a handset on your behalf

There is no way for any of their 6 million subscribers to defend
against this attack. I contacted Virgin Mobile over a month ago about
the issue and they have refused to fix it.

Full details of the attack, as well as a history of my communication
with Virgin Mobile, are available on my website:

http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/

----
Kevin Burke | 415-723-4116 | www.twilio.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
Next by Date: Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Previous by thread: [Full-disclosure] SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
Next by thread: [Full-disclosure] List Charter
Index(es):
- Date
- Thread