Web security is a tricky thing and you have to take a lot of measures to secure your website, if you have one. Most prominent brands work diligently to keep their websites secure from any possible exploits. However, sadly this doesn’t seem to be the case with the site of Virgin Mobile USA.
Virgin Mobile USA is, by no means, a small company. It boasts six million subscribers and is a prominent name in the US telecom industry. Kevin Burke, a security expert has now revealed that he has been able to find a very basic security vulnerability in Virgin Mobile’s website, a vulnerability which has put six million accounts of the subscribers at risk.
The vulnerability that Burke has found is that you can easily break into virtually anyone’s account using the website. All you need to know is the exact phone number. The password can’t be greater than six digits, a limit put by the official site when you sign up.
A well-known fact in the world of web security is that the smaller a password’s length is, the easier it is to guess. A 6-digit password means that there can only be 1 million password combinations for it. And to parse through a million possible passwords is a very easy task for even a basic programmer.
Burke says that using a Python code, he was able to test different password combinations and break into his own account using the Brute force technique. It is as simple as that and can be done to any of the six million Virgin Mobile USA accounts online.
Once you have broken into an account, you can read the entire log of SMS and calls, associate a different handset with that account, change the PIN, even purchase a new handset and change the mailing address. In brief, you are able to virtually screw up the life of the person who actually owns the account.
Burke wrote to Virgin Mobile USA, citing the vulnerability and asking them to take measures to resolve it. So far, the company hasn’t done anything whatsoever and so, Burke was forced to go public with this information.
Source: Kevin Burke