 |  | |||||
 |  | |||||
| |||||||
 |
| | LinkBack | Thread Tools | Rate Thread | Display Modes |
04-12-2008, 12:49 AM
| #1 (permalink) | ||||
| Guest
|
We found you can hijack a Sprint user's account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I'll show you we cracked into a Sprint account and just how much damage I could have done, inside... First I needed someone to volunteer their Sprint cellphone number to test for research purposes. Intern Alex Chasick put out a request on his IM Away Message and within minutes Nathan (thanks Nathan!) offered up his number. Next I went to a part on the Sprint website where you register for online account access. I filled out some account registration and then selected for Sprint to ask me a few questions to verify my identity so I could set up my PIN code. This is where it gets fun. Alex is in his 20's and lives in the Washington DC area, so I figured that our mark is too. Just knowing that, I was able to answer all the questions correctly in the first shot. Here's what they were: Which of the following vehicle makes has been registered at the following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None of the Above." I figure a college kid is not going to have a Lotus, Lamborghini, or a Fiat, so I went with Honda. "Which of the following people have resided with you or used the same address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome Ponicki, John Pace, None of the above." The extra space in Jerry's last name caught my eye. That looks like a data entry error, like the name was probably grabbed from an actual database instead of a generated fake name. So I went with that one. "In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above." I've never heard of any of those cities being near DC, so I go with "all of the above." And then, open sesame, I'm in. http://consumerist.com/376845/flawed...asily-hijacked | ||||
 |
| Cell Phone Links | |
Advertisement | |
|
| Bookmarks |
| Thread Tools | |
| Display Modes | Rate This Thread |
Linear Mode
| |
Similar Threads for: Flawed Security Lets Sprint Accounts Get Easily Hijacked | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Has Sprint Entered Desperation Mode with SERO so Easily Availableto Anyone that Knows Anything? | SMS 斯蒂文• 夏 | alt.cellular.sprintpcs | 3 | 12-13-2007 06:02 PM |
| Re: Does Sprint have pre-paid accounts? | dafydd | alt.cellular.sprintpcs | 8 | 11-07-2006 11:31 PM |
| Re: Does Sprint have pre-paid accounts? | jgrove24@hotmail.com | alt.cellular.sprintpcs | 3 | 10-27-2006 05:17 PM |
| Lets talk about the Sprint Web policy | Taybuggy | Sprint PCS | 3 | 09-12-2006 01:16 PM |
| Re: My phone was hijacked, or else Sprint switched it with someone | Lawrence Glasser | alt.cellular.sprintpcs | 0 | 04-27-2004 01:45 PM |
