Sprint Vulnerability: the flaw in the Online Portal

A researcher discovered a security flaw (the Sprint vulnerability) in the online system of Sprint that allowed anyone to access the internal staff portal. Sprint is the fourth largest form in the USA that provides wireless and internet services. As of October 2017, the company has around 54 million active users of its services offered through the subsidiaries including Virgin Mobile and Boost Mobile.

Sprint Vulnerability in the Online Portal

Recently, a security researcher discovered a bug in the staff portal of Sprint. According to his discovery, the bug could let anyone intrude into the internal system by simply entering two sets of login credentials one after another. The researcher reported the matter to TechCrunch, who then disclosed the discovery and also informed Sprint about it.

The researcher was able to access the system easily since the credentials were too easy to guess. Moreover, it did not use any two-factor authentication process. As stated in their blog,

“Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal.”

After accessing the system, the researcher could easily navigate to various pages containing staff information.

Start your Free Trial
Scan your WebSite and Network


Sprint Vulnerability: Internal Details Accessed By Easy Login Process

Exploiting the bug was quite easy for the researcher. At first, he entered the login credentials to access an employee’s portal that let him view the customers’ data with a staff access. This account opened up the data of users of Sprint, as well as its subsidiaries Boost Mobile and Virgin Mobile. After that, he entered another username and password that gave him the access to the users’ account data portal.

He shared the screenshots of the entire process with TechCrunch, who reported the details to Sprint. At the moment, Sprint is working to patch the flaw. According to a Sprint spokesperson,

Was The Bug Dangerous?

The researcher who discovered the flaw preferred to keep his identity veiled due to security reasons. According to his findings, the bug he noticed was extremely harmful and could result in severe damage to the firm’s credibility. However, the comment by the Sprint spokesperson hints they do not believe it to be that dangerous.

On the other hand, according to the researcher, not only he gained access to the customers’ data, but he could also make significant changes in the user account.

To make these changes, all he needed was mere four-digit PIN numbers and the user’s mobile number. If someone attacking the system knew a number or had plans to enter its own number, then entering the PIN number is quite easy. The system had no limits on PIN attempts. Therefore, guessing this four-digit PIN was quite easier by repeated attempts.

With such an easy access to the PINs, not only did the system exposed the customers’ accounts to potential criminal hackers but also allow them for SIM swapping attacks.

Any Preventions?

The only way to stay protected from such cyber attacks by the exploitation of security vulnerabilities is to adopt a proactive approach towards cybersecurity.

Preventive CyberSecurity is key. This is why activites like Vulnerability Assessment and Network Scan represent the ideal tools to face such challenges.

Periodic tests of your assets prevent you from harmful attacks and brand damage.

To this end, Swascan provides a unique set of tools that allows you to scan for you IT architecture and spot all the necessary actions that need to be implemented in order to fix Security vulnerabilities.

Start your Free Trial
Scan your WebSite and Network


Air Canada Data Breach: Mobile App Users Locked Out
CyberSecurity minute: a lot happens in just sixty seconds

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.