Vodafone privacy breach "serious"

Forums › One NZ (including Farmside) › Vodafone privacy breach "serious"

1 | 2 | 3 | 4 | 5

Jaxar

383 posts

Ultimate Geek
+1 received by user: 129

#1089013 15-Jul-2014 08:32

joker97: but whatever the password, you'd still need a username to see another person's account! is that not true?

it's not like you enter the masterpassword and you get to see all kinds of stuff - unless the username was also a MasterUSER ...

Yeah so not only were the number of duplicate passwords small but this guy had to accidentally typo his username to one that just happened to be one of the effected usernames with the same password. The chances of this occurring must be incredibly slim.

Please note: I have a professional bias towards Vodafone.

r2b2

586 posts

Ultimate Geek
+1 received by user: 109

#1089016 15-Jul-2014 08:35

Jaxar:
joker97: but whatever the password, you'd still need a username to see another person's account! is that not true?

it's not like you enter the masterpassword and you get to see all kinds of stuff - unless the username was also a MasterUSER ...

Yeah so not only were the number of duplicate passwords small but this guy had to accidentally typo his username to one that just happened to be one of the effected usernames with the same password. The chances of this occurring must be incredibly slim.

Don't forget the possiblity that the deliberately went out to try and find other effected usernames...

b0rg

95 posts

Master Geek
+1 received by user: 8

#1089058 15-Jul-2014 09:20

I didn't think I'd have to spell it out.. But it's easy to harvest email addresses, which are also often user names, then try those. It would be fairly easy to write a script to test a thousand user names with one password on a page.

b0rg!

Jaxar

383 posts

Ultimate Geek
+1 received by user: 129

#1089119 15-Jul-2014 10:11

b0rg: I didn't think I'd have to spell it out.. But it's easy to harvest email addresses, which are also often user names, then try those. It would be fairly easy to write a script to test a thousand user names with one password on a page.

Completely valid point when speaking about security in general. This wasn't some sort of deliberate attack however this was a customer who stumbled across it.
As you said though it is a basic authentication and we would not need an issue with duplicate passwords for it to be vulnerable to the kind of brute force attack you are describing which is why companies don't actually display full credit card numbers in an account screen like the article suggested it did.

Please note: I have a professional bias towards Vodafone.

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#1089373 15-Jul-2014 16:42

coffeebaron:
joker97: You sure you did? 123456 still works

This is bigger and more serious than first thought. There must be a master master password. This can only be fixed now with a master filter.

I think you are both wrong - 00000000 is actually the master password. [ref]

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#1089400 15-Jul-2014 17:33

surely not?!!

1 | 2 | 3 | 4 | 5