Feeds

Nextel security glitch nipped in the bud

A good outcome, for a change

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Register reader Mike Koper alerted us to a security flaw in cellular service provider Nextel Communications' on-line Account Manager Friday which would have enabled users to access other customers' account details.

Koper's discovery is of a class that plagues many similar on-line services, where logging in generates a URL to a user's records. Often, the user's account number will appear in the URL, and by manipulating it with substitute numbers, one can easily access other accounts. Sometimes merely viewing the login page source-code will give a would-be intruder enough information to guess how to manipulate the URL.

Koper reckons it would have been possible to abuse the Nextel Account Manager to add a newly-purchased phone to another customer's account, close an existing account, change a user's calling options and the like.

It would also be possible to stalk a Nextel cellular customer and track their phone calls, essentially conducting an unauthorised trap and trace, Koper notes. So long as the victim's name, mobile phone number and address are known to the stalker, one could "call Customer Care and give them the [victim's] info, and then ask what the account number is because you don't have your bill in front of you."

"Once you have the account number, you could start checking their bills on-line and see who they're calling, shut down their phone and so on," Koper notes.

Fortunately, Nextel responded swiftly to the news Friday and disabled the link on their home page to the Account Manager while they set about making repairs. (And yes, typing in the URL would still have brought the page up. This was a reasonable gamble by Nextel since we wouldn't have gone to press until they'd bunged the hole.)

"We were glad to have this brought to our attention," Nextel Vice President for Corporate Communications Ben Banta told The Register. "Fortunately, there have been no complaints [from customers]," he noted.

The hole was reported and action taken before any customer accounts were compromised, Banta said. Customer Koper appears to have been the first Nextel Account Manager user to notice the glitch. However, Banta disputes some of Koper's claims about the potential for abuse, which he says would have been limited to deleting voice-mail messages and changing caller options.

The de-bugged system got its final check and went back on line Monday evening. The company is "confident" in its repairs, Banta assured us.

Nextel's handling of the glitch deserves recognition. It's not unusual for companies to spin their way out of this sort of news in an effort to maintain consumer confidence at the expense of the truth. But we reckon consumers respect a forthright admission of the facts, however unpleasant, followed by a swift undertaking to correct the problem. It's reassuring to encounter one company, at least, that would tend to agree. ®

5 things you didn’t know about cloud backup

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.