Feeds

Vodafone secures email-flashing barn door

Horse settled down, bringing up foals

3 Big data security analytics techniques

Vodafone has secured the security breach that allowed anyone with a bit of time on their hands to collect subscribers' email addresses and phone numbers.

The hole came to light on Wednesday and allowed anyone to enter a phone number and get the corresponding email address, or enter a valid user name to get both the email and phone number of that user. As word spread about the flaw and customers started getting emails from strangers who knew their phone numbers, Vodafone spent the last couple of days scrabbling to fix the problem.

The flaw isn't new, but hadn't been noticed until now. When a user forgets their password Vodafone asks for their phone number and sends an email to the corresponding address with a reminder. The problem was that the site also confirmed to whom the email had been sent, displaying the subscriber's email address. Users quickly discovered the same thing could be achieved by guessing a login name, in which case both the phone number and email address could be collected.

But now that's been fixed, so customers who forget their password will still get sent a reminder but will have to take it on faith that Vodafone has sent the message to the right place.

"We have sent an email to your registered email address," Voda says. "When you get it, click on the link. This will take you to a page where you can reset your password and view your username." We tried it this morning and have yet to receive the corresponding email, so some work is obviously ongoing, but at least it didn't display our email address to the world.

Quite how many email addresses were compromised in the 48 hours Vodafone spent fixing the problem we don't know. The operator has been busy reassuring customers, explaining: "The personal data stored on their My Account profile has not been directly at risk as a result of the site's functionality."

This is true, but the customer's email address and phone number might well have been compromised and that might matter to them. ®

Top three mobile application threats

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.