Sprint vulnerability

Sprint Vulnerability: the flaw in the Online Portal

A researcher discovered a security flaw (the Sprint vulnerability) in the online system of Sprint that allowed anyone to access the internal staff portal. Sprint is the fourth largest form in the USA that provides wireless and internet services. As of October 2017, the company has around 54 million active users of its services offered through the subsidiaries including Virgin Mobile and Boost Mobile.

Sprint Vulnerability in the Online Portal

Recently, a security researcher discovered a bug in the staff portal of Sprint. According to his discovery, the bug could let anyone intrude into the internal system by simply entering two sets of login credentials one after another. The researcher reported the matter to TechCrunch, who then disclosed the discovery and also informed Sprint about it.

The researcher was able to access the system easily since the credentials were too easy to guess. Moreover, it did not use any two-factor authentication process. As stated in their blog,

“Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal.”

After accessing the system, the researcher could easily navigate to various pages containing staff information.

Start your Free Trial
Scan your WebSite and Network


Sprint Vulnerability: Internal Details Accessed By Easy Login Process

Exploiting the bug was quite easy for the researcher. At first, he entered the login credentials to access an employee’s portal that let him view the customers’ data with a staff access. This account opened up the data of users of Sprint, as well as its subsidiaries Boost Mobile and Virgin Mobile. After that, he entered another username and password that gave him the access to the users’ account data portal.

He shared the screenshots of the entire process with TechCrunch, who reported the details to Sprint. At the moment, Sprint is working to patch the flaw. According to a Sprint spokesperson,

Was The Bug Dangerous?

The researcher who discovered the flaw preferred to keep his identity veiled due to security reasons. According to his findings, the bug he noticed was extremely harmful and could result in severe damage to the firm’s credibility. However, the comment by the Sprint spokesperson hints they do not believe it to be that dangerous.

On the other hand, according to the researcher, not only he gained access to the customers’ data, but he could also make significant changes in the user account.

To make these changes, all he needed was mere four-digit PIN numbers and the user’s mobile number. If someone attacking the system knew a number or had plans to enter its own number, then entering the PIN number is quite easy. The system had no limits on PIN attempts. Therefore, guessing this four-digit PIN was quite easier by repeated attempts.

With such an easy access to the PINs, not only did the system exposed the customers’ accounts to potential criminal hackers but also allow them for SIM swapping attacks.

Any Preventions?

The only way to stay protected from such cyber attacks by the exploitation of security vulnerabilities is to adopt a proactive approach towards cybersecurity.

Preventive CyberSecurity is key. This is why activites like Vulnerability Assessment and Network Scan represent the ideal tools to face such challenges.

Periodic tests of your assets prevent you from harmful attacks and brand damage.

To this end, Swascan provides a unique set of tools that allows you to scan for you IT architecture and spot all the necessary actions that need to be implemented in order to fix Security vulnerabilities.

Start your Free Trial
Scan your WebSite and Network


About Pierguido Iezzi

AvatarDa anni mi occupo di CyberSecurity e Digital Innovation. Ho fondato e seguo diverse start-up. La mia passione per la Sicurezza Informatica mi ha portato a lanciare Swascan di cui sono il Co-Fondatore insieme a Raoul Chiesa. Swascan è la prima piattaforma di CyberSecurity, in cloud, SaaS e Pay for Use.
La mia frase è “Ognuno di noi è le risposte alle domande che si pone”.

Our Services





Domain threat


Swascan Services