Latest in

Image credit:

Sprint Picture Mail bug allows password-less logins

Evan Blass

Before we bring you any details about this rather serious security failure someone just discovered (and we've verified) concerning Sprint's online Picture Mail service, we'd like to implore everyone reading this to maintain a sense of civility and not to immediately go breaking into every account they can think of. That being said, we've been tipped by numerous people to a Howard Forums thread that claims entering any Sprint phone number into the Picture Mail login page on PC and mobile browsers and clicking OK will gain you access to the account -- no password necessary. Not only are Sprint customers' pictures and videos completely unprotected, the bug also allows anyone to view the email address associated with the given phone number (even if he/she doesn't upload photos) -- thereby assembling your digits, your name, and pictures of yourself and your family into one handy, stalker-friendly package. We hope that publishing this major flaw will allow our readers to take down any pics they may want to remain private, and more importantly, that it will cause Sprint to fix this problem ASAP.

Update: Mark Z. informed us that the Picture Mail login option has been replaced with a generic maintenance page. We'll save you the specifics, because the real message is written between the lines: "Please excuse our appearance while our PR team finishes with damage control."

[Thanks to everyone who sent this in]

From around the web

ear iconeye icontext file