Vodafone’s My Account system exposes user information

Screen shot 2010-09-23 at 19.53.15.png

There’s a raft of Vodafone UK customers up in arms because of a recently discovered exploit with the company’s My Account online control panel.

Mobile enthusiast-cum-uber-geek Terence Eden documents the joyous experience on his blog. The quick overview? Use the password reminder feature to type in a random phone number and the system will tell you if there’s an email address registered to that account. It’s an unfortunate error that Vodafone’s legions of developers should have considered.

As Terence points out, to recover your password, you type in your phone number. If the system finds your details, it says ‘thanks, we’ve sent an email to [your email address]’. This makes some sense for you and I when we’re using the system with a genuine requirement.

However it was possible to type in any number and increment it sequentially, picking up both the phone number and email address of each account.

A chap called @denny pointed this out yesterday at 1pm on Twitter. Terence reports that it appears to have taken until 1130am this morning for Vodafone to patch the flaw. I tried it this evening and now the system definitely seems patched.

There’s no indication right now whether some enterprising chap has discovered this ‘feature’ and run a script to pick out the details for every number from 07100 000 000 to 07999 999 999 in Vodafone’s user control panel database. Not good at all.

If you’re working at a mobile operator, take a few minutes to check you didn’t buy the same My Account system as Vodafone did… 😉

By Ewan

Ewan is Founder and Editor of Mobile Industry Review. He writes about a wide variety of industry issues and is usually active on Twitter most days. You can read more about him or reach him with these details.

1 reply on “Vodafone’s My Account system exposes user information”

Ah, the lovely My Account.

Luckily, my Vodafone phone number is for reasons unknown not compatible with My Account, which just returns an “Internal error” when I try to register. We even used our enterprise support contacts to have it looked at, only to have Vodafone come back and say that “Your phone number is not compatible with our services.”

How does Vodafone suck? Let me count the ways…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.