There’s something to be said for concerned customers that contact companies in order to help them solve problems inherent in their systems. This is what Kevin Burke, one such concerned customer that just so happens to be a coder, did with Virgin Mobile USA back in August. After taking the matter seriously at first, it appears that the company ultimately did nothing about the fact that their account authentication can be easily be forced.
To prove his point, Burke created a script to brute force his own account by guessing each and every possible combination. Accounts only required six digits as a pin. It should come as no surprise that his attempt was successful. Failed authentication will lock potential miscreants out of the account, but that’s only if they’re amateurs and attempt the process through a browser or with cookies enabled.
So far, Burke has only confirmed the vulnerability with Virgin Mobile USA accounts. The company’s international accounts appear to use a different code base that is more secure to serve their customers. So, good job, international Virgin Mobile folks.
What can be accessed through this exploit? Everything a user might be able to access in their Virgin Mobile account. Malicious hackers can view the call history, change the handset tied to the account, purchase an entirely new handset, and cause the typical damage of resetting any information associated with the account. You know, just a few minor things. Clearly, this doesn’t deserve any further authentication.
As it stands, the first line of defense here would see Virgin Mobile USA implement tougher passwords. By expanding the number of digits to eight and allowing specific casing, letters, and numbers, it would potentially allow for 218,340,105,584,896 different combinations. That’s a bit tougher to crack.
(Kevin Burke via Wired, image via Brian Klug)
- Even the iPad had some security flaw shenanigans
- Internet Explorer is no better
- Ubisoft’s DRM was easily exploited as well
