Vodafone Exposes Users' Email Addresses


(Disclaimer - I used to work for Vodafone. I don't any more.)

A rather nasty flaw with Vodafone's "My Account" service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the "My Account" facility.

Vodafone offer a "My Account" facility - http://vodafone.co.uk/myaccount - you can use it to check your bills, manage your price place, etc. All very handy.
Vodafone's My Account Facility

As with many services, a user needs a username and password.
Login

Again, as usual, it will allow you to recover your password.
Reminder

This is where the problem begins. To recover your password, you need to enter your mobile phone number.

This leads to this nasty privacy-busting screen. (I've obfuscated my email address).
Exposed

All you need is someone's phone number. Now, there are several ways you could get a person's email address if you already know their phone number - ringing them up and asking them, for one - but Vodafone really needs to be more cautious with their customers' data.

There is nothing to stop a determined spammer from entering thousands of numbers and getting a long list of email addresses. Nothing to stop a fraudster from sending you an email to an address you only use with Vodafone. Nothing to stop you finding out that your boss's email is IlikeBigButts@example.com.

I'm sure that Vodafone will be closing this hole shortly - but it goes to show that even using unique email addresses is no protection from spammers when your private data is treated so poorly.

Update

A commenter on The Register notes that this trick also works with usernames. Now, you may not know a target's name - but trying a few common usernames reveals many email addresses. So now a potential spammer has your email address and your username. More than enough to make a convincing phishing attempt.

Update 23/09/2010

At some point this morning, around 1130, the website was finally taken down. Users are seeing this holding page.
Holding Page


Share this post on…

3 thoughts on “Vodafone Exposes Users' Email Addresses”

  1. Hi Terence, a good spot.

    It's actually worth than you think. I'm on O2, with a number ported from Vodafone 3 years ago. Entering my phone number displays my email address, even though I'm an ex customer.

    Scott

    Reply

Trackbacks and Pingbacks

What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">