6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

Doesn't surprise me.

[lattyware]

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

This is fixed now

[diversiform]

according to Kevin Burke [inburke.com] who originally found the issue (scroll down to "Wednesday morning").

Re:This is fixed now

[140Mandak262Jamuna]

Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.