RISKS – Terence Eden’s Blog https://shkspr.mobi/blog Regular nonsense about tech and its effects 🙃 Sun, 22 Sep 2024 07:27:43 +0000 en-GB hourly 1 https://wordpress.org/?v=6.9.4 https://shkspr.mobi/blog/wp-content/uploads/2023/07/cropped-avatar-32x32.jpeg RISKS – Terence Eden’s Blog https://shkspr.mobi/blog 32 32 <![CDATA[Vodafone Exposes Users' Email Addresses]]> https://shkspr.mobi/blog/2010/09/vodafone-exposes-users-email-addresses/ https://shkspr.mobi/blog/2010/09/vodafone-exposes-users-email-addresses/#comments Wed, 22 Sep 2010 14:23:03 +0000 http://shkspr.mobi/blog/?p=2554 (Disclaimer - I used to work for Vodafone. I don't any more.)

A rather nasty flaw with Vodafone's "My Account" service was recently pointed out by Denny de la Haye. Vodafone will quite happily tell you the email address of any customer who has set up the "My Account" facility.

Vodafone offer a "My Account" facility - http://vodafone.co.uk/myaccount - you can use it to check your bills, manage your price place, etc. All very handy. Vodafone's My Account Facility

As with many services, a user needs a username and password. Login

Again, as usual, it will allow you to recover your password. Reminder

This is where the problem begins. To recover your password, you need to enter your mobile phone number.

This leads to this nasty privacy-busting screen. (I've obfuscated my email address). Exposed

All you need is someone's phone number. Now, there are several ways you could get a person's email address if you already know their phone number - ringing them up and asking them, for one - but Vodafone really needs to be more cautious with their customers' data.

There is nothing to stop a determined spammer from entering thousands of numbers and getting a long list of email addresses. Nothing to stop a fraudster from sending you an email to an address you only use with Vodafone. Nothing to stop you finding out that your boss's email is IlikeBigButts@example.com.

I'm sure that Vodafone will be closing this hole shortly - but it goes to show that even using unique email addresses is no protection from spammers when your private data is treated so poorly.

Update

A commenter on The Register notes that this trick also works with usernames. Now, you may not know a target's name - but trying a few common usernames reveals many email addresses. So now a potential spammer has your email address and your username. More than enough to make a convincing phishing attempt.

Update 23/09/2010

At some point this morning, around 1130, the website was finally taken down. Users are seeing this holding page. Holding Page

]]> https://shkspr.mobi/blog/2010/09/vodafone-exposes-users-email-addresses/feed/ 3