We found you can hijack a Sprint user's account as long as you know
their cellphone number, just a smidge about them, and have half a
brain. Once inside, you have total access to their account. You could
change their billing address, order a whole bunch of cellphones sent
to a drop location, and leave the victim paying the bill. There's also
the stalker's wet dream: add GPS tracking to their cellphone and
secretly watch their every movement from any computer. Reader Jim told
Sprint about this 2 months ago but they ignored him, so I tested it
out and am publishing the results in the hope of getting Sprint to fix
this exploit. I'll show you we cracked into a Sprint account and just
how much damage I could have done, inside...
First I needed someone to volunteer their Sprint cellphone number to
test for research purposes. Intern Alex Chasick put out a request on
his IM Away Message and within minutes Nathan (thanks Nathan!) offered
up his number.
Next I went to a part on the Sprint website where you register for
online account access. I filled out some account registration and then
selected for Sprint to ask me a few questions to verify my identity so
I could set up my PIN code. This is where it gets fun.
Alex is in his 20's and lives in the Washington DC area, so I figured
that our mark is too. Just knowing that, I was able to answer all the
questions correctly in the first shot. Here's what they were:
Which of the following vehicle makes has been registered at the
following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None
of the Above."
I figure a college kid is not going to have a Lotus, Lamborghini, or a
Fiat, so I went with Honda.
"Which of the following people have resided with you or used the same
address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome
Ponicki, John Pace, None of the above."
The extra space in Jerry's last name caught my eye. That looks like a
data entry error, like the name was probably grabbed from an actual
database instead of a generated fake name. So I went with that one.
"In which of the following cities have you NEVER lived or used in your
address? Longmont, North Hollywood, Genoa, Butte, All of the above."
I've never heard of any of those cities being near DC, so I go with
"all of the above."
And then, open sesame, I'm in.
http://consumerist.com/376845/flawed...asily-hijacked
Flawed Security Lets Sprint Accounts Get Easily Hijacked 
Linear Mode
