Hacker Demonstrates Weak Security In Freedom Mobile’s Customer Login System

MobileSyrup is reporting that goes by the moniker NullHumanity has uncovered a vulnerability in Freedom Mobile’s customer login system. Meaning  that Freedom Mobile customers could be at risk of hackers gaining access to some of their personal information.:

It’s CAPTCHA after 3, which is not unbreakable. Also there exists a method to forcibly reset the counter after one hour. This was a trivial discovery during my initial research period.

A skilled attacker would find this, and would be almost guaranteed to have a CAPTCHA bypass method at their disposal. 5 requests per hour is still going to result in a lot of account details being found.

I added very large delays in my script so as not to stress the login server and I was still seeing a new success every 30 or so seconds.

I would say a skilled attacker could breach an account and extract data 200 times per minute on a mid level machine.

In other words, it’s possible to brute force your way into the system. And once you’re in, you could have access to all that personal information.

Freedom Mobile said this:

For its part, Freedom Mobile’s vice-president of external affairs, Chethan Lakshman, stated over email: “The security measures we have in place cannot protect against guessing common passwords. We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information.”

Lakshman also said that Freedom continuously reviews its security practices and is “committed to making improvements and changes as appropriate to continue keeping our customers’ information secure.” Freedom’s security measures, said Lakshman, are designed to protect Freedom Mobile customers’ information from malicious activity while “meeting customer demands for a resonable login process.”

I guess that translates to “if you get pwned, it’s not our fault.” In terms of their advice of changing your PIN. That’s not going to make you any safer. What will make users safer is for Freedom Mobile to give their security a rethink. Because you’d think that Freedom Mobile would take the security of their user base seriously. But clearly they don’t based on the statement above.

#Fail

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: