Virgin Mobile USA subscribers are susceptible to account hijacking and misuse as the carrier's authentication is framed with a simple script, a developer revealed Monday, according to Help Net Security.
The problem is reported with the authentication function of the account, where username is the mobile phone number and password is a six-digit PIN and Virgin Mobile does not restrict repeated login attempts.
Apparently, Kevin Burke a developer with Cloud Communications Internet-as-a-Service (IaaS) company Twilio and a Virgin Mobile USA customer himself proved the issue after breaking into the account by brute-force script a month ago and immediately notified the carrier of danger.
An unauthorized user can read customer's communication logs, register different phone to lock the customer out and read text messages, change address and order a new phone with credit card on file. They can also lock a user out by changing PIN and email address on the account without notification to previous address, Wired reported.
Though Burke tried to escalate the issue, it does not seem to have fetched the desired results. The response guided him to the Terms of Service agreement that relieves Virgin Mobile of all responsibility if other persons log in with their credentials.
So he decided to go public so that subscribers became aware they were at risk. Burke suggests a host of fixes starting with allowing more complex passwords and lock down of accounts after a few failed attempts, Wired stated.
With Sprint owning Virgin Mobile in the U.S., attempts by Computerworld to secure a response on the issue were not met successfully. However, after the report became public, Virgin Mobile seems to have implemented a change that locks users out after four failed log-in attempts.
That change however fails to address the issue. "It's completely ineffective. The freeze only works if you use the same cookies on each failed attempt," Burke told Computerworld.
"This is akin to Virgin asking people to tell them how many times they've failed to log in. The bypass is trivial -- clear your cookies between each request, or just make login attempts without sending any cookies," Burke added.