Get Free Sprint Features With URL Hacking

Two more instances of Sprint’s insecure online system:

1) Members of the Howards Forums cellphone message boards have discovered a URL hack that lets users add the “Unlimited Shared Night & Weekend Minutes at 5pm pack” for free to their account.

2) If you take this URL and replace the phone# at the end with the phone number of someone who hasn’t set up the PIN on their account, you will see the last 4 digits of their social security number. Not a huge deal, we give out the last 4 of our social over the phone all the time, but it seems a bit odd to broadcast these numbers unnecessarily.

PREVIOUSLY: Flawed Sprint Security Worse Than We Thought
Flawed Security Lets Sprint Accounts Get Easily Hijacked

Comments

Edit Your Comment

  1. Aphex242 says:

    Good lord does Sprint need to get in gear on this stuff or what?

    That’s crazy.

  2. Baron Von Crogs says:

    Makes me wish I had a sprint phone.
    Though I have a feeling customer of sprint who use this hack won’t have their service maintained for long at this free rate.

  3. Scuba Steve says:

    Seems unethical. Maybe that’s just me. But then again, I don’t have sprint. Wish I could, but I don’t.

  4. sirwired says:

    I would think that Sprint is going to be able to figure out this URL trick pretty quickly, and those subscribers are going to be in for a surprise if Sprint is feeling testy, or they will just have the feature they didn’t pay for taken away if Sprint is feeling nice.

    SirWired

  5. Concerned_Citizen says:

    To be fair people resorted to this method after failing to get the sprint operators from adding the service the correct way.

  6. theblackdog says:

    Will these people leave Sprint alone and start working on Verizon instead?

  7. Darren W. says:

    Sorry guys, it’s dead. I tried it, and got the following email:

    We are sorry, the service offer you attempted to add is no longer available. Available services can be found under the Change Plan Add Ons feature on your Sprint.com account.

    Name: *********
    Phone Number: **********
    Account Number: *********

    You added:
    . Unl Shared Night&Wknd Min 5pm

    Thanks again,
    Your friends at Sprint.

  8. PinkBox says:

    Nope, no longer works. I tried too.

  9. Pac says:

    I was able to successfully add this to my account just now. I had a plan where I had 1000 anytime minutes and I now have unlimited Nights and Weekends. From what I understand, this add-on isn’t available in all markets.

  10. Brie says:

    @Pac: Funny thing about the “not available in all markets”: I live in California. I have a friend in Missouri who told me he had unlimited texting, data AND pictures for $15 a month. Here, that would be something like $45 (this was a few months ago; I haven’t checked Sprint’s prices lately.) So I e-mailed Sprint and said “This is what my friend has but I don’t see it listed on My Sprint. Is this not available in my market?”

    I expected Sprint to say “no it’s not, but we can do it for $45″ but instead they said “No it’s not, but we’ll make one special for you and make it free for two months!” And now for $15 a month I have the Peter in Missouri plan.

  11. Anjow says:

    “Not a huge deal, we give out the last 4 of our social over the phone all the time”

    But you give them out to verify your identity, don’t you? So if someone was in possession of these 4 digits then wouldn’t they have a much better chance of successfully impersonating the owner of them?

    I give out my mother’s maiden name all the time over the phone, however if someone got hold of it they could reset the passwords to (or otherwise gain access to) loads of services I use that rely on it for identity verification.

  12. LUV2CattleCall says:

    I like the reaction time for patching the deal vs. patching the security flaw…

  13. @bigdtbone: It seems like it got them to fix the problem. I think the point was more to embarrass the hell out of the company than to encourage readers to steal from Sprint.

    Plus, everyone on this website loves to go “blame the customer!” when something happens, claiming that if one leaves oneself open to being taken advantage of, one deserves it. Well isn’t this a variation of that? I’m not saying it’s ethical to take advantage of Sprint, but it’s certainly Sprint’s fault that they can be taken advantage of this way.

  14. Pro-Pain says:

    Sprint is great. I have the unlimited everything package for a monthly price that I won’t even post after discounts. Not to mention I NEVER get any dropped calls or anything. Sprint’s service is great. Don’t believe me? Try it yourself.

  15. reflection717 says:

    Wow, that’s a social engineer’s dream. Punch in a phone number get the last 4 of someone’s social and call them up to get their bank account number, credit card number, or basically anything else they want because they can “prove” they have that info because they have your social…. Nice Sprint! Good Job!

  16. cmac says:

    @Pro-Pain: I’m going to second this statement. I have had Sprint for probably 9 years. I actually tried to switch to AT&T during my last renewal but AT&T said they couldn’t get anywhere near what I was paying.

  17. Hmm… in this sort of situation, I wonder if any charges could be pressed against people who take advantage of the flaw. I mean, I would think not, because it’s due to an oversight on Sprint’s side. But on the other hand, I’ve heard that people have been charged for taking advantage of malfunctioning ATMs that were giving out twice the amount requested. I think think that this Sprint issue is comparable…

  18. Yoooder says:

    When I tried it it prompts me if with the option to Add Nights/Weekends startign @ 5, then the following page to confirm my services shows the nights/weekends @ 7 (what I signed up for) and no 5:00 option in sight.

    Oh well :)

  19. synergy says:

    I’m not seeing the instructions on how to try it. Could someone point out the page for me, please?

    I’ve been with Sprint for 8 years and have had few (minor) problems. Calls rarely drop and when they do it’s probably because I work in a laboratory full of machinery and thick walls full all sorts of piping.

  20. Squeezer99 says:

    @Yoooder:

    same here, for those too lazy to read the thread, the url is [manage.sprintpcs.com] and replace the x’s with your phone number.

  21. kalmakazee says:

    @Pro-Pain:

    Sprint is the BEST and yet also the STUPIDEST company out there.

    Sprint is the BEST because they have the BEST discounts out there. I also have unlimited incoming and outgoing and unlimited everything that they offer and free everything else and I am paying more than 60% off the bill.

    Sprint is the STUPIDEST company because
    A) Tthey can never get the monthly bill right
    B) You gotta call em 50 times until you can find a rep that understands how to fix the bill with the correct amount.

  22. deepsprint says:

    This situation with the website described above does not surprise me because much of it has not worked right for months.

    The new CEO appears to know what he is doing but incompetents have been running Sprint the last few years and Sprint’s IT managers are no exception. Sprint’s cellphone network technology is very, very good. But it’s customer service IT is poorly managed and is a root cause of many of Sprint’s problems. Sprint’s backend customer service systems are so difficult to use for the poorly trained out-sourced reps that the most basic of tasks often get done incorrectly causing billing errors and customer dissatisfaction. Or, more commonly, don’t get done at all as the rep (who is under pressure to keep calls short) transfers the call to get rid of the customer they cannot help because they are unable deal with Sprint’s billing systems. This is why the most common response when you call Sprint for anything more than the simplest of tasks is to get transferred around and around.

  23. gStein_*|bringing starpipe back|* says:

    so, customer privacy leak: fuck it
    leak that costs us money: fixed immediately

  24. nsv says:

    I just tried to get the last four of my ssn and couldn’t do it. And I don’t have a PIN set up.

    I also called Sprint and nicely asked for additional stuff, and got pretty much what I asked for. And it only took about an hour and a half and three different reps…

  25. theycallmetak says:

    Has anyone read the thread? You’re hacking the URL to request it for free. Ecare and a CS agent still need to approve it.