Buongiorno Closes Security Hole That Allowed Malicious Premium Rate Subscriptions
Mobile content distributor, Buongiorno has closed a loophole in its systems that had enabled people to be signed up to premium rate services without their permission.
The loophole was discovered by consultant Mark Hole who found that his business phone line had been signed up to a fortune-telling service without his permission, and his investigation discovered the security flaw.
He told the BBC News that he was able to use a browser plug-in for his Firefox web browser that caused it to identify itself as an iPhone browser to the Buongiorno systems, then all he had to do was manually type in any phone number from the Orange UK network and they would be subscribed to the service.
Browser plug-ins that spoof the identity of other devices, such as smartphones are a normally legitmate tool used by website developers for swift testing of their websites.
However, the loophole appeared to exist because Buongiorno were not verifying that the IP address used by the spoofed browser was also coming from within the range used by Orange.
"There was a bug in the system," a spokesman for Buongiorno told the BBC. "When that was found out, we very quickly moved to pin it down, find out what happened and stop it from happening again."
As far as Buongiorno could tell there had only been one "billed event" that had arisen as a result of the loophole.
Italy based Buongiorno was recently bought by Japan's NTT DoCoMo
On the web: BBC News