In association with heise online

27 September 2010, 14:15

Vodafone plugs security vulnerability on UK service web site

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Until this weekend, it was possible, using a simple trick, to access customer e-mail addresses and telephone numbers from the UK mobile operator's web site. The site displayed customers' private e-mail addresses after clicking on the 'forgot password' button on the account login screen. Further mouse work allowed access to mobile numbers. To view user details, users merely needed to guess a user name or read one off the forums.

The security vulnerability came to light as a result of a posting on Wednesday by user johnnytruant on the Vodafone forums. Vodafone customers then spent two days complaining on the forum that the password reminder service should have been taken down until the problem could be fixed. Instead, Vodafone representatives merely posted to the forum that they were urgently looking into the issue.

On Friday, a Vodafone spokesperson identified only as 'David' announced on the forum that the company had updated the My Account section of Password reminders can now only be requested online. The statement stresses that it was never possible to access other users' account details. No apology has been forthcoming.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit