Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to Personal Options.
3. Press 2 to go to Administrative Options.
4. Press 1 to go to Password.
5. Press 2 to turn your password On.

Thanks for the reminder, Nitesh!

Posted Mon, 02 Jul 2007 03:11:06 GMT in Chris Shiflett's Blog