Since the EE two security flaws that were previously reported, it now seems that Sprint are also making the news for having security vulnerability in their system.
Sprint Portal Vulnerable To Hacking
As reported by Tech Crunch, a researcher discovered a security flaw in Sprint staff portal. Exploiting the system’s weak passwords and absence of two-factor authentication, the researcher succeeded in accessing the firm’s internal staff portal.
Reportedly, the researcher simply exploited two sets of weak credentials to access the system. In the first instance, the researcher gained staff access to the portal. Through this account, he could access the data of the customers of Sprint, Virgin Mobile, and Boost Mobile. Then, using the second set of credentials, he could access the portal for customer account data. This even allowed him to do major changes in a customer’s account.
“Anyone with access to this portal allowed the user to conduct a device swap, change plans and add-ons, replenish a customer’s account, check activation status and view customer account information.”
To do so, an attacker simply had to enter a customer’s mobile number and a four-digit PIN. Anyone could easily guess the PIN by repeated attempts since the portal had “no limit on the number of attempts”.
Sprint Working Out To Patch The Flaw
Tech Crunch obtained screenshots of the matter, which they shared with Sprint staff in their report. They also confirm that the passwords were easy to crack.
“We’re not disclosing the passwords, but suffice to say they were not difficult to guess.”
After discovery, Sprint began working to resolve the vulnerability. Nonetheless, they also state that the flaw did not put any of the firm’s data at risk.
“After looking into this, we do not believe customer information can be obtained without successful authentication to the site. Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts.”
Take your time to comment on this article.
Latest posts by Abeerah Hashim (see all)
- HackerOne Awarded $3500 In Bounties For Two Vulnerabilities Affecting The Platform - November 11, 2019
- DHS Alerts About Multiple Vulnerabilities In Medtronic Valleylab Equipment - November 11, 2019
- Apple Mail On MacOS Stores Parts Of Encrypted Emails In Unencrypted Form - November 11, 2019