Vodafone's My Account system exposes user information

There’s a raft of Vodafone UK customers up in arms because of a recently discovered exploit with the company’s My Account online control panel.

Mobile enthusiast-cum-uber-geek Terence Eden documents the joyous experience on his blog. The quick overview? Use the password reminder feature to type in a random phone number and the system will tell you if there’s an email address registered to that account. It’s an unfortunate error that Vodafone’s legions of developers should have considered.

As Terence points out, to recover your password, you type in your phone number. If the system finds your details, it says ‘thanks, we’ve sent an email to [your email address]’. This makes some sense for you and I when we’re using the system with a genuine requirement.

However it was possible to type in any number and increment it sequentially, picking up both the phone number and email address of each account.

A chap called @denny pointed this out yesterday at 1pm on Twitter. Terence reports that it appears to have taken until 1130am this morning for Vodafone to patch the flaw. I tried it this evening and now the system definitely seems patched.

There’s no indication right now whether some enterprising chap has discovered this ‘feature’ and run a script to pick out the details for every number from 07100 000 000 to 07999 999 999 in Vodafone’s user control panel database. Not good at all.

If you’re working at a mobile operator, take a few minutes to check you didn’t buy the same My Account system as Vodafone did… 😉