Tuesday 28 August 2018

Security Vulnerability Found on Sprint Telecom Providers’ Staff Portal

Sprint system has a vulnerability


Since the  EE two security flaws that were previously reported, it now seems that Sprint are also making the news for having security vulnerability in their system.

Sprint Portal Vulnerable To Hacking

As reported by Tech Crunch, a researcher discovered a security flaw in Sprint staff portal. Exploiting the system’s weak passwords and absence of two-factor authentication, the researcher succeeded in accessing the firm’s internal staff portal.
Reportedly, the researcher simply exploited two sets of weak credentials to access the system. In the first instance, the researcher gained staff access to the portal. Through this account, he could access the data of the customers of Sprint, Virgin Mobile, and Boost Mobile. Then, using the second set of credentials, he could access the portal for customer account data. This even allowed him to do major changes in a customer’s account.
“Anyone with access to this portal allowed the user to conduct a device swap, change plans and add-ons, replenish a customer’s account, check activation status and view customer account information.”
To do so, an attacker simply had to enter a customer’s mobile number and a four-digit PIN. Anyone could easily guess the PIN by repeated attempts since the portal had “no limit on the number of attempts”.

Sprint Working Out To Patch The Flaw

Tech Crunch obtained screenshots of the matter, which they shared with Sprint staff in their report. They also confirm that the passwords were easy to crack.
“We’re not disclosing the passwords, but suffice to say they were not difficult to guess.”
After discovery, Sprint began working to resolve the vulnerability. Nonetheless, they also state that the flaw did not put any of the firm’s data at risk.
“After looking into this, we do not believe customer information can be obtained without successful authentication to the site. Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts.”
Take your time to comment on this article.

0 comments:

Post a Comment