If you are a company will millions of users, it is usually expected that you would ensure fool-proof security of your user’s accounts. A developer has now claimed that Virgin Mobile USA entirely fails on this front, citing a very basic security vulnerability in the company’s website.
Kevin Burke says that when he first came across the vulnerability, he contacted Virgin Mobile USA directly. However, after numerous to-and-fro communications, the company didn’t do anything to eliminate the vulnerability. It was then that Burke took to venting on his own blog.
Burke cites that when signing up for a user account at Virgin Mobile USA’s site, you have to choose a 6-digit password. When it comes to passwords, the popular tech wisdom is ‘the longer, the better.’ The smaller a passwords is, it is easier to crack. For a six-digital password, there are a total of one million combinations.
That may sound a lot but with a rather basic code, these one million combinations can be sifted through in virtually no time. The technique is called brute force. Burke tested the technique by trying to break into his own account and not surprisingly, he succeeded without any trouble.
The worst part is that once you are signed into an account, you can check out the SMS and call logs, purchase a new handset, change the billion address and make a whole lot of other changes. For an account offering such breadth of features, the security certainly ought to be much better. Virgin Mobile hasn’t yet responded to Burke’s blog post.