Vodafone plugs security vulnerability on UK service web site
Until this weekend, it was possible, using a simple trick, to access customer e-mail addresses and telephone numbers from the UK mobile operator's web site. The site displayed customers' private e-mail addresses after clicking on the 'forgot password' button on the account login screen. Further mouse work allowed access to mobile numbers. To view user details, users merely needed to guess a user name or read one off the forums.
The security vulnerability came to light as a result of a posting on Wednesday by user johnnytruant on the Vodafone forums. Vodafone customers then spent two days complaining on the forum that the password reminder service should have been taken down until the problem could be fixed. Instead, Vodafone representatives merely posted to the forum that they were urgently looking into the issue.
On Friday, a Vodafone spokesperson identified only as 'David' announced on the forum that the company had updated the My Account section of Vodafone.co.uk. Password reminders can now only be requested online. The statement stresses that it was never possible to access other users' account details. No apology has been forthcoming.