Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

Sprint’s Website Contains a Bug That Shows Other Customers’ Account Info

Numerous customers expressed their concern with Sprint about being able to view other customer’s account details while trying to view their own. Information such as names, phone numbers, and calls made was all visible. One customer was quoted, “I was able to click each one individually and see every phone call they made, the text messages they used, and the standard info, including caller ID name they have set.” It is believed that the flaw comes from a bug that was not caught during prerelease tests, so essentially user account access controls were not enforced, as other users’ account info was accessible. This puts an emphasis on the fact that security should be taken seriously no matter what cycle of development the software is in, because if the tests were run correctly this would have been caught. Sprint has since released a statement acknowledging the issue and confirmed they are working on a correction.

Analyst Notes

Since it is unclear how long the information was available to other users, it is hard to determine if any information fell into the wrong hands. Until Sprint releases more information, customer accounts should be monitored for any suspicious activity that could be linked back to this occurrence.