If your phone is lost, you feel the loss? - Vulnerability warning-the black bar safety net

ID MYHACK58:62201337831
Type myhack58
Reporter 佚名
Modified 2013-03-19T00:00:00


Brief description:

If your phone is lost, you feel lost? May you feel the phone itself out of nothing, the Address Book is important In the even young ignorance of the time...... Feel lost cell phone, QQ also lost However, in the even young ignorance, found...... Lost cell phone, perhaps want to cry no tears it! Imagine now if you phone is lost, you will loss? Welcome dear friends, the various strange answers

Detailed description:

Now online various accounts generally have with the phone is bound And the phone's permissions to very high very high...... High victorious cold See here, maybe you already know what's going on.

Maybe you have evaluated this issue But I think...... Very necessary for problem rectification on! Because every day someone lost hand machine, just like the daily birth rate and mortality rate, like, always not 0 While the phone is lost after How many people will immediately put the phone number to report the loss, the And how many people will immediately to your own network account with mobile phone-related account? Well, even if you have this consciousness, but when you find the computer performs various processing when the You will be more than well prepared thief fast, accurate, ruthless it???

select money from your tenpay where the phone lost = ture and mobile phone on the QQ number = ture and qq, tenpay and mobile phone binding = ture

Imagine now if you phone is lost, you will loss? (1) After the test, the QQ bound phone, just send an SMS you can directly modify the password, not any other secondary certification. This is more than the phone the plaintext to store the password also horror! Because if you just phone a plaintext to store the password only, then the phone is lost, the password is modified, can it's okay. But the QQ bound phone, lost Cell Phone, your QQ in addition to might be someone else log in addition, You of QQ may also not belong to you. Because of your QQ bound phone number might be replaced.

(2) If your tenpay if you are using a mobile phone binding....... Anyway, Tencent will recommend bind Then, through Forgot Password to change the password step, there is a phone verification code, you can modify tenpay password(the default and the QQ password is the same)and the payment password At this point, if you the money paid through the balance, then it does not belong to you.

(3) If your tenpay also bind a variety of Bank card fast payment, Tencent a variety of promotions to encourage users to bind fast payment, a binding of the card, the more offers, the more General is to send cash coupon, and then also die more heroic...... If the phone is lost! Because the login password with, the payment password with, quick payment SMS verification is also proper!

(PS: PayPal also has a similar problem, if PayPal account using mobile phone number while tenpay can also use the phone to register...... In fact, many platforms are there in this problem

Vulnerability proof:

(1)Forgot Password? - forget security questions-by phone to retrieve your password


(2)an SMS to get QQ password...... It took even very much money!


(3)tenpay login password and payment password also proper


Begin to pay it, Sao year! Phone in hand, the world I have! In this cock wire counter-attack era, decisive pick up next to the tall, rich and handsome phone Enter the payment hotline now!

Repair solutions:

Authentication, should not handle machine is certified as a universal key Recommended the use of multiple authentication methods of a wide range of: Such as mobile phone authentication at the same time also need to enter a secret question, or other complaints for the conditions Also can use both hands to phone number verification, the primary number to issue a Change Password command, but the need for a secondary number such as parents ' phone to confirm, but the secondary number only to confirm the permissions, no issue the Change Password command authority.

To reduce security risks, often at the expense of quick and easy operation for price!

Maybe you have evaluated this issue. But I think...... Very necessary for problem rectification on! Because if the phone fall into malicious user hands, Exploit low difficulty, hazards high. (Compared to by using contacts inside of the contacts to be scams)

Good! To eat Breakfast time....... (Non-bug-fix have to step, even to go and eat Breakfast.) Code so many words, no credit also has elbow grease it, no elbow grease also has a“salty acid labor”!