Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not sure what you tried, but they haven't fixed the problem. I just tried 100 different random 6-digit passwords using a python script over a one minute interval, then logged in to my account just fine using the web interface.

I'd post my code, but that would let any idiot figure out how to replicate this attack. Try including a user agent, and not using the same cookies every time.



It appears they are still clueless about how the internet works. https://twitter.com/VirginMobileAus/status/24795811996620800...


This is perhaps the best false promise corp-speak I've heard in relation to an exploit:

> any word on supporting longer passwords eventually?

> Nothing as of right now but it's something we may definitely look into in the future. Thanks, Shane.

"May definitely"?


I say post the code. That would really light the fire under Virgin's ass.

Any person nefarious enough to perform the attack is probably smart enough to figure it out anyway.


No thanks... that would cross the line between full disclosure and malice.

It should be trivial for anyone who understands HTTP and threads to reimplement.


I really hope that Virgin are not stupid enough to go after you in some lawyery way over this. I think you are already running a risk by disclosing this at all. The usual next step when a company doesn't show willingness to fix a security problem is that they try and shoot the messenger :-(


It should be trivial for anyone who understands HTTP and a for loop to reimplement.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: