(Disclaimer – I used to work for Vodafone. I don’t any more.)
A rather nasty flaw with Vodafone’s “My Account” service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the “My Account” facility.
Ugh. @VodafoneUK's website exposes my email address to anyone who knows (or randomly enters) my phone number on the 'forgot password' page.
— Denny (@denny) September 22, 2010
Vodafone offer a “My Account” facility – http://vodafone.co.uk/myaccount – you can use it to check your bills, manage your price place, etc. All very handy.
As with many services, a user needs a username and password.
This is where the problem begins. To recover your password, you need to enter your mobile phone number.
All you need is someone’s phone number. Now, there are several ways you could get a person’s email address if you already know their phone number – ringing them up and asking them, for one – but Vodafone really needs to be more cautious with their customers’ data.
There is nothing to stop a determined spammer from entering thousands of numbers and getting a long list of email addresses. Nothing to stop a fraudster from sending you an email to an address you only use with Vodafone. Nothing to stop you finding out that your boss’s email is IlikeBigButts@example.com.
I’m sure that Vodafone will be closing this hole shortly – but it goes to show that even using unique email addresses is no protection from spammers when your private data is treated so poorly.
A commenter on The Register notes that this trick also works with usernames. Now, you may not know a target’s name – but trying a few common usernames reveals many email addresses. So now a potential spammer has your email address and your username. More than enough to make a convincing phishing attempt.
At some point this morning, around 1130, the website was finally taken down. Users are seeing this holding page.