Hello World

Vodafone NZ Best Mate Exploit Discovered

By  , in , posted: 18-Sep-2007 18:55

[I accept no responsibility for your actions]

This 'bug' with the 'sign up' system gives people the ability to sign you up to best mate without your approval or knowledge. You are only notified that you have been signed up to the best mate addon when you receive a sms from Vodafone saying
Great! Your Bestmate Add-On has been applied. If you need more info please go 2 vodafone.co.nz/supaprepay or freecall 492

The thing with this bug, is its simplicity. All you need is anyones 021 prepay number with $6+ of credit and access to the the vodafone best mate site. A few clicks and there goes someones credit.

This is a letter from someone who was 'exploited', which they are sending into Campbell Live

Dear John.

I have recently had an issue with Vodafone. Someone I know signed me up for their BestMate service without my confirmation or acknowledgement.

All I got was a txt from Vodafone saying that I had been signed up for BestMate, and when I checked my account balance, I was $6 below what I originally was.

So I rung Vodafone Customer service to report this to them. At this stage I didn't know how I had been signed up for the service without my consent.

I spent 15 or so minutes talking to a customer representative, who claimed I could not be signed up without the person accessing my phone, or without my personal password. They also said I should have received a txt when I was signed up for BestMate, asking me to confirm it. However, I only got the one txt saying I was signed up for the service. The representative ended up calling the number who had been assigned my 'BestMate' and from his VoiceMail, got his name. They asked if I knew this person, and I said yes. They then said there must be something more to the story, and indicated I was not being truthful with them, and quickly ended the call.

I then chased up the person who was my new 'BestMate' the next day, and asked them about it. He told me that it was as simple as putting my number into a Vodafone website, and that their system was flawed. Before now, I assumed that this person must have found a complicated way around Vodafone's system, and Vodafone's reaction to my call was understandable.

But if this was true, Vodafone had indicated I was a liar, and dismissed my claims when they clearly had a poor system, incapable of taking care of their customers' precious credit.

With this information, I rung up Vodafone again today, and talked to another customer representative. For 15 minutes I essentially had the same conversation as the day before, and the representative obviously didn't believe me. I could actually hear her laughing at the other end of the phone, as if it was a joke. So I gave her the website, and asked her to have a look at it. I was put on hold again while she went to check it out.

A few minutes later, she came back to me to say there was no such website: www.bestmate.co.nz

I told her there definately was, I was accessing it at the present moment. I then gave her the website that the URL www.bestmate.co.nz takes you to, which is: https://getit.vodafone.co.nz/bestmates/

Another few minutes on hold, and she came back, profusely apologising, and offering to give my $6 credit back, which she had refused to do up until that point.

She admitted herself that the system was "dodgy" and that people could sign anyone up for BestMate. Imagine for example, how easy it would be to make a typo while signing up, and someone else ends up with your BestMate, and is charged $6. Or you could have someone, like I did, intentionally put your number in. Even further, someone could produce a computer program that randomly puts hundreds upon hundreds of numbers into the form, wasting loads of peoples' credit.

I am certain I am not the only person to have been through this. The Vodafone customer representative assured me that the problem would be investigated.

But i was also treated as a liar, and did not receive anything for my time, which helped alert them of a potential disaster within their system.

And unless this problem is sorted soon, plenty of people stand to lose more money from this flawed system.

I'm sure if you get onto this quick enough, the problem will still be available for you to check.
Simply go to the site: www.bestmate.co.nz
1. Select the prepay option.
2. Fill in the field "What’s your Prepay mobile number?" with any number (best if it's your own) that has at least $6 credit and no current BestMate
3. Pick a BestMate and put their number in the appropriate field.
4. Press submit
5. Assuming the problem is not yet fixed, wait for the txt confirming you are signed up, having entered no identifying details other than your phone number.

Hope you find the story interesting,
I personally think it deserves a bit of media interest,

Good going Vodafone!


It seems they are fixing the problem, this page http://www.vodafone.co.nz/personal/plans-services/plans/prepay/get-supa.jsp?utm_source=ratemymates&utm_medium=game&utm_content=prepay&utm_nooverride=1
Now shows "This service is currently unavailable, but you can still get Supa Prepay, BestMates and TXT2000 by TXTing us".

Other related posts:
Can someone tell me what 'Voodoo live' is? [updated]
Vodafone NZ running an EDGE network?
Update on the Vodafone bestmate glitch/bug/exploit

Trackback by JJ's Blog, on 18-Sep-2007 20:58

A flaw in Vodafone’s security allows anyone to drop $6 off your prepay balance.

The thing with this bug, is its simplicity. All you need is anyones 021 prepay number with $6+ of credit and access to the the Vodafone best mate site. A few clicks ...

Comment by Filterer, on 18-Sep-2007 21:00

Yea found this out a while ago when I signed up somebody (with their permission) to be my bestmate.

Couldn't come up with anything interesting to do except charge people $6, which I wasn't going to do.

Can you imagine, public wifi network and a script to run through vodafone numbers signing them up to 3 best mates and txt 2000. Would get expensive, quickly

Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

Fossie's profile