Feeds

Vodafone secures email-flashing barn door

Horse settled down, bringing up foals

Providing a secure and efficient Helpdesk

Vodafone has secured the security breach that allowed anyone with a bit of time on their hands to collect subscribers' email addresses and phone numbers.

The hole came to light on Wednesday and allowed anyone to enter a phone number and get the corresponding email address, or enter a valid user name to get both the email and phone number of that user. As word spread about the flaw and customers started getting emails from strangers who knew their phone numbers, Vodafone spent the last couple of days scrabbling to fix the problem.

The flaw isn't new, but hadn't been noticed until now. When a user forgets their password Vodafone asks for their phone number and sends an email to the corresponding address with a reminder. The problem was that the site also confirmed to whom the email had been sent, displaying the subscriber's email address. Users quickly discovered the same thing could be achieved by guessing a login name, in which case both the phone number and email address could be collected.

But now that's been fixed, so customers who forget their password will still get sent a reminder but will have to take it on faith that Vodafone has sent the message to the right place.

"We have sent an email to your registered email address," Voda says. "When you get it, click on the link. This will take you to a page where you can reset your password and view your username." We tried it this morning and have yet to receive the corresponding email, so some work is obviously ongoing, but at least it didn't display our email address to the world.

Quite how many email addresses were compromised in the 48 hours Vodafone spent fixing the problem we don't know. The operator has been busy reassuring customers, explaining: "The personal data stored on their My Account profile has not been directly at risk as a result of the site's functionality."

This is true, but the customer's email address and phone number might well have been compromised and that might matter to them. ®

Security for virtualized datacentres

More from The Register

next story
TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'
iPhones bent in Norwich? As if the place wasn't weird enough
Consumers agree to give up first-born child for free Wi-Fi – survey
This Herod network's ace – but crap reception in bullrushes
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
New EU digi-commish struggles with concepts of net neutrality
Oettinger all about the infrastructure – but not big on substance
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.