Slashdot Mirror

← Back to Stories (view on slashdot.org)

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

Posted by timothy on from the see-also-bank-of-france dept.

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

7 of 80 comments (clear)

  1. Virgins? by bhagwad · · Score: 4, Funny

    I read this as "Six million virgins vulnerable to brute force attack :D"

  2. Penetration Testing? by InvisibleClergy · · Score: 5, Funny

    I would have thought that Virgin would be less vulnerable to penetration.

    1. Re:Penetration Testing? by judoguy · · Score: 4, Funny

      Not less vulnerable, just less experienced.

      --
      Peace is easy to achieve, just surrender. Liberty is much harder get/keep.
    2. Re:Penetration Testing? by marcello_dl · · Score: 4, Funny

      Like a Virgin,
      Hacked for the very first time,

      Like a Viiiiirgin
      Feel your host ping
      next tooooo miiiiine....

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  3. Re:Doesn't surprise me. by lattyware · · Score: 3, Interesting

    The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

    --
    -- Lattyware (www.lattyware.co.uk)
  4. This is fixed now by diversiform · · Score: 4, Informative

    according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").

    1. Re:This is fixed now by 140Mandak262Jamuna · · Score: 3, Informative

      Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact