A Silicon Valley developer claims that Virgin's requirement of a six-digit user-account PIN -- one that can be brute-forced -- makes user accounts almost trivial to crack.
A developer is taking Virgin Mobile USA to task, arguing that its username and password handling put users at risk.
Kevin Burke yesterday took to his personal blog to report that Virgin Mobile's authentication process only allows for users to input numbers as their account PIN. What's worse, he says, the password is limited to six numbers, leaving "only one million possible passwords you can choose."
"This is horribly insecure," Burke wrote. "Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day."
"I verified this by writing a script to 'brute force' the PIN number of my own account," he continued. While Virgin apparently does freeze accounts after several failed login attempts, Burke wrote that clearing browser cookies between login attempts sidesteps that security measure.
Burke claims that hackers who force their way into an account could read the user's call and SMS logs, change handsets associated with the account, and even purchase new handsets.
Before disclosing his findings publicly, Burke spent a month trying to alert Virgin Mobile to the problem. One rep on Twitter care center directed him to the Virgin Mobile "Authentication and Contact" section of its General Terms and Conditions. That section discusses how the PIN works, and explains that the company may "treat any person who presents your credentials that we deem sufficient for account access as you or an authorized user on the account for disclosure of information or changes in Service."
Burke writes that he was referred to a representative at Sprint Executive and Regulatory Services, who eventually told him not to expect further action from Virgin Mobile. (Virgin Mobile USA is a "prepaid brand" of Sprint Nextel.) At that point, Burke decided to go public.
So far, there's no indication that anyone has exploited the vulnerability Burke claims to have identified -- certainly not on a large scale.
CNET has contacted Virgin for comment on Burke's findings. We will update this story when we have more information.