dslreports logo
site
spacer

spacer
 
   
spc
story category
Virgin Mobile Website Vulnerable to Hack
Six Digit Random Pin Easily Compromised
by Karl Bode 08:06AM Tuesday Sep 18 2012 Tipped by Revcb See Profile
A developer says he's discovered a vulnerability in the Virgin Mobile website that allows a third party to access private user information, and that the company has yet to do anything about it after being alerted. Blogger and developer Kevin Burke says that in August he noticed something alarming about the Virgin Mobile website: plugging in anyone else's Virgin Mobile number into the website can allow a hacker to gain access to confidential customer call and texting reports, change user passwords and addresses, or purchase an unauthorized handset.

Click for full size
The website uses account phone numbers as usernames and a six-digit random pin as a password, while allowing users unlimited retries to guess the password. Using a Python script without cookies, Burke says he was able to make hundreds of password guess attempts without any problems. When he brought this to Virgin Mobile's attention, Burke says he was ignored:
quote:
I follow up with ( Steven from Sprint Executive and Regulatory Services) again, informing him that I am going to publish details of the attack in 24 hours, unless I have more concrete information about Virgin’s plans to resolve the issue in a timely fashion...Steven calls back to tell me to expect no further action on Virgin Mobile’s end. Time to go public.
Interestingly, the six digit pin doesn't let you have three-identical sequential numbers, yet it proudly suggests to their user to use their birthday as a password. Sprint says they're taking a look at all of their security standards, including Virgin Mobile.

view:
topics flat nest 
clone

join:2000-12-11
Portage, IN

It's not that easy.

The vulnerability is that some blogger wrote a script to brute-force the 6-digit account PIN number. Any password can be brute-forced, but a 6-digit PIN makes it easier.

And, are we sure that there aren't rate limits in place (many sites make you wait 24 hours after X number of incorrect attempts), all we have is this guy's word (and he's a HACKER!)?

While I agree, it's not the best security method, anyone who is using Virgin Mobile for anything important anyway needs to have their head checked. Terrible service and worse customer support. What do you expect for $25 a month?

seamore
Premium
join:2009-11-02

Re: It's not that easy.

said by clone:

While I agree, it's not the best security method, anyone who is using Virgin Mobile for anything important anyway needs to have their head checked. Terrible service and worse customer support. What do you expect for $25 a month?

Let me guess, Apple fanboi, you are?
clone

join:2000-12-11
Portage, IN

Re: It's not that easy.

No, I used VM's service for about 3 months, and it was absolutely atrocious. If you rely on your phone for business or anything important at all, you don't want this service provider under any circumstances.

And actually, if you must know...if I had to choose one and only one phone to carry, it would be my Galaxy S3. I've owned at least 6 Android devices in the last 3 years, and two iPhones. So, not a fanboy of either really, but if I was a fanboy I would be an Android fanboy.

My only point was that if you expect cellular service for $25 a month, you have to realize that they are cutting corners somewhere. You get what you pay for.

Nice ad hominem, though. Even though I don't understand it one bit.

seamore
Premium
join:2009-11-02

1 recommendation

Re: It's not that easy.

Let's just say this. It was worked nicely for me for over 3 years. Never had a problem, and i like the feeling that im not getting ripped off.

phone = good signal
text = perfect
www = OK (it's not a laptop with broadband)
hottboiinnc
ME

join:2003-10-15
Cleveland, OH

Re: It's not that easy.

i know many of doctors and major companies that use VM's service from Sprint. And what do you expect for outsourced call centers anyway.

The article doesn't say though if it was VM USA or not. VM USA is different than VM.

cork1958
Cork
Premium
join:2000-02-26
said by seamore:

said by clone:

While I agree, it's not the best security method, anyone who is using Virgin Mobile for anything important anyway needs to have their head checked. Terrible service and worse customer support. What do you expect for $25 a month?

Let me guess, Apple fanboi, you are?

I will re-word what was stated there slightly.

Anyone who uses Virgin Mobile for ANYTHING, needs to have their head examined!!

Worst company I have ever dealt with and I will NEVER even think of using them again!!

Not surprising that their website sucks too. Always did when I tried to use it.

Only reason I ever created a Facebook account even, although not under my own name, as I wouldn't and don't use that POS site either, was just to get on the Virgin Mobile site and complain up a storm!
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/

knighttoday

@pdx.net
Actually Clone, I have used Virgin Mobile for over 8 years and have no complaints at all. But then I just use my cell as a phone and some very light data use so I don't require much. That is what Virgin is good for and it is very good at it.
clone

join:2000-12-11
Portage, IN

Re: It's not that easy.

Glad it worked out for you. I had their $25 for 300 minutes with unlimited texts and data plan for 3 months on a BlackBerry and an Android (since I thought it was a BB related issue). It was a great value, but didn't work as advertised for me. Voice calls worked fine, but the data service seemed to be non-existent and I had numerous multi-day long text outages.

I use the texts to monitor systems at work, so that was not acceptable to me. I called VM, and their support staff seemed to only speak Spanish and assured me my issues would be fixed in 24 hours and that they had to "reset my account". This when there was news all over the internet about outages, but somehow it was my account.

Both of my pet peeves were fulfilled, speaking to people who can't understand me and lying to me (telling me there is no outage when there was). So I had to jump ship. If you're only using it for infrequent voice calls, I'm sure it's great as long as you don't leave the native coverage area. But when you advertise voice/text/data and can't provide it, that's false advertising.

I'll stand by my original statement, if you are doing something critical with it, you need to get your head checked.

supernac

join:2003-03-26
Springfield, MO
I've been using them for about a year, never had a problem.

imavmcust

@qwest.net
I think I get what I pay for, but Im disappointed that VM isn't ack'ing this issue and thinking about changing the login method?

As a Vm customer, this phone is used for chatting, and not for business - also, I dont save any info or even use a CC to fill up, so hopefully Im safe(as can be,considering) :/
hottboiinnc
ME

join:2003-10-15
Cleveland, OH

Re: It's not that easy.

It wouldn't be up to VM- it would be up to Sprint's Wholesale/Prepaid side. but also with him doing this and admitting, Sprint can go after him and have him charged with hacking them.
zod5000

join:2003-10-21
Victoria, BC
Reviews:
·Shaw

Seems like an easy fix.

It's not really a hack, its an attack. It's just someone who wrote a program that tries different passwords over and over again.

Most websites have a 3 strikes and your account is frozen mechanism in place. This prevents multiple attempts at guessing the password and is a very basic security precaution.

It wouldn't be hard to prove this guys thesis.. see how many times you can attempt an incorrect password before it locks you out?
kmcmurtrie

join:2006-04-18
Sunnyvale, CA
Reviews:
·SONIC.NET

Re: Seems like an easy fix.

Locking the account after three tries turns a privacy hole into a denial of service attack. You could potentially lock out hundreds of customers per second. A better response slows down responses (both pass and fail) with increasing login failures and varies the login questions to complicate automation. This puts attacks on a timescale where security teams can deal with them.

Slowing responses (tarpit) does not scale well to large systems. The incorrect login counter for a customer needs to be synchronized across all login systems to prevent high concurrency attacks. Each delayed response consumes memory and a TCP/IP port until it finishes. With those limitations, a big company could find it much easier to switch their customers to longer passcodes rather than build up enough hardware to combat distributed attacks from an army of hijacked computers.

dib22

join:2002-01-27
Kansas City, MO

Don't the Sprint and Boost brands also use 6 digit pin?

I do agree that the 6 digit numerical PIN is a really bad idea, but last time I had a personal sprint account it used the exact same method.

I can only guess that Boost does as well, since they are all one and the same company.
clone

join:2000-12-11
Portage, IN

1 recommendation

Re: Don't the Sprint and Boost brands also use 6 digit pin?

My postpaid Sprint account requires a standard username/password combination, and has done so for the last 5 years. Boost, IIRC, uses a 4-digit PIN.
georgeglass5

join:2010-06-07
New York, NY

Dont know what the

hubbub is about, I've used the optimus v on VM & use the rooted hotspot feature for 18 months & it works fine, guess you have to be in a major city for the sprint network to be an acceptable provider. For 27.56 a month 300minutes, unlim text & data at 2.5gig before throttling, its a great option.

VMUser653

@bhn.net

The login page is down

The site is up but when I tried to log into my account I got this instead:

[ServletException in:/common/layoutXSLT.jsp]
javax.xml.transform.TransformerConfigurationException:
javax.xml.transform.TransformerException:
javax.xml.transform.TransformerException:
xsl:stylesheet is not allowed in this position in the stylesheet!'