SecurityTube

Developer Warns Millions of Virgin Mobile Subscribers About Authentication Flaw

JB

An Alamo, Texas developer on Monday warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix.

"I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly," Kevin Burke said in a blog post.

Burke said he discovered that the carrier's current authentication method relied on the user's phone number and a six-number PIN to access an account. One user later said in a comment the company recommends using birthdates for passcodes.

Using his own account, he created a script to more quickly narrow in on the one million possible passwords. Once the script unlocked his numeric PIN he realized "pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number."