The Website of Virgin Mobile Canada Exposes Customer Accounts

Thomas Milne, a test engineer at Sophos, has stumbled upon a gaping security hole on the website of Virgin Mobile. After poking around the website's wap interface, he discovered that accessing other people's accounts was as easy as typing in their phone number.

Working at Sophos' Vancouver office, Mr. Milne is a customer of Virgin Mobile Canada. In a post published on the blog of Graham Cluley, senior technology consultant at Sophos, the quality assurance engineer explains that it all started with an unsolicited SMS message that the mobile operator sent him.

"Want front row tickets to So You Think You Can Dance? Click, then select ‘My Hot Deals’: http://my.vmobile.ca/vmc-wap/vmc-logon.do," the message, which Milne characterizes as boorish and "more than a little spammy sounding," reads. The tester explains that, when trying to access the URL from his computer browser, he was prompted with an access error claiming that phone identification was missing.

Upon trying to access the root of directory in the URL (/vmc-wap/), he received a message box pointing at something called a MIN. However, the rather cryptic requirement didn't put Milne off, who had the wit to input his phone number, thus obtaining a successful "authentication." In order to test if he could replicate this weird behavior, the QA engineer tried another colleague's phone number, who was also a Virgin Mobile customer.

To his amazement, this also worked, which meant that he had the ability to go through virtually anyone's account and change phone plans, spend their existing credit and other stuff. "So every customer’s account was wide open, using only their phone number. [...] Seeing as this is Graham’s blog I’ll keep it polite and simply say that this came as an ‘unpleasant surprise’ to me," Milne notes.

To its credit, Virgin Mobile promptly patched the security hole after being notified. In addition, personal identifiable information was not accessible through the vulnerable interface, and charging one's registered credit card required a PIN confirmation. "The company took the disclosure of this fairly seriously, and had it fixed after a few hours," the engineer points out.

Working in Quality Assurance, Milner speculates that the MIN authentication page could have been a page used for testing or troubleshooting that someone forgot to remove when moving the system to the production server. "While most people recognize these failings as ‘bad things,’ all too often they treat them as best practices rather than rules, and exceptions are made for the sake of convenience. Events like this should serve as a reminder to be careful where you make them," the tester advises.

Note: The title of this article was modified in order to clearly reflect that only the website of Virgin Mobile Canada suffered this security breach, since there are several Virgin Mobile companies operating around the world, and all of them are separately owned.