back to article Visual voicemail hack makes your messages a snack

Sydney penetration tester Shubham 'Shubs' Shah has urged US and European researchers to probe their telco's voicemail security after he found accounts held by local telcos Vodafone and Optus were open to attack. The two telcos were vulnerable because design flaws mean neither limited the number of password guessing attempts in …

  1. Shadow Systems

    *GolfClap* Fekkin brilliant.

    You don't tell your users that you've created an account for them, then helpfully "password protected" it with their default PIN, and leave the systems unpatched so ScriptKiddies can do a simple BruteForceAttack to gain entry. Which then gives them the PIN to the user's account, which gives them the same admin rights over the account as the unnotified owner, whom then gets to find out the hard way that they're getting screwed through an attack vector they didn't even know existed. Who's brain dead, dip shit, mentally retarded, drooling on their own shoes in delight, padded helmet wearing, mittens with the connecting string, name sewn in the underwear, Speshul Snowflake idea was this, and how soon before we can witness their public execution for crimes against humanity? SonofabitchmotherfuckingassspelunkingdumbassFUCKTARDS!

    Now if you'll excuse me, I've got to go verify that I don't have any accounts my provider hasn't bothered to tell me about. Then I'll change the password. Then I'll hunt down whom did it & feed them back their colon. Grrrrrr...

    1. Rabbit80

      Re: *GolfClap* Fekkin brilliant.

      Of course, its pointless changing your passwords given that these dip shits obviously don't give a flying fuck about security and have probably secured the server and databases with admin / admin or similar. The chances of your password being salted, hashed and peppered are likely nil.

  2. Ashton Black

    Security IS a dirty word to some of these Telcos, apparently. I mean, hiring a full time pen tester team, may cost in the thousands perhaps low millions, but the cost of not doing, is shown with debacles like this.

  3. Roo
    Windows

    Sigh, DOS as a security feature...

    I can see how Vodaphone came to make the schoolboy error of locking accounts after N failed attempts. Microsoft made DOS by login failure a feature on nearly every workplace desktop and people have copied it ever since...

    It would be nice if some big names made some moves to fix this particular misfeature.

  4. Anonymous Coward
    Anonymous Coward

    Vodafone "security"

    My business account was fraudulently used to "purchase" three iPhones (long story, but basically the fraudsters get them delivered to the registered address, phone up claiming to be Vodafone saying "they were sent it error" and hope you'll fall for it and let them collected and "return" the phones).

    I called Voda as soon as I spotted what was going on. "Oh, so it wasn't you (the only name on the account) who phoned up earlier to place the order then"?

    In the past they had never asked what I considered to be "security questions" when I phoned them - I assumed they knew it was "me" as I was calling from the registered handset (they certainly knew my name). After talking to them I spotted the flaw in their security process - it seems they had been "taking me through security" in the past. They would ask for:

    1) My name;

    2) The company name;

    3) The registered office address.

    That's it! So, "security" for Ltd.Co. accounts is based on information that's public record?

    Doh!

    *My reward for all the bother was to have my online account cancelled (without notice), cancellation of my direct debit (also without notice, resulting in missing a payment) and several months of incorrect bills whilst the corrections to corrections were corrected.

  5. Anonymous Coward
    Anonymous Coward

    Have they done this on purpose?

    NSA, FBI, GCHQ....etc?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021