Major security issue with My Ooma

Problems using My Ooma? Ideas on how we can make it better? You’ve come to the right place.
JuanDiablo
Posts:3
Joined:Wed Jan 13, 2010 1:29 pm
Major security issue with My Ooma

Post by JuanDiablo » Wed Jan 13, 2010 5:42 pm

So this afternoon I opened up firefox, pointed it to my.ooma.com/inbox and found myself with full access to someone else's account. I wasn't prompted for any login information and the computer I'm using hasn't been out of my control.

I could listen to their voicemail, view their call logs and had complete control over their settings, personal information and password/security question.

Has anyone else encountered this situation or have any idea how it could have happened?

Needless to say, I now have zero confidence in Ooma protecting my account and personal information.

AZGuyJoe
Posts:69
Joined:Fri Jan 01, 2010 1:10 pm

Re: Major security issue with My Ooma

Post by AZGuyJoe » Thu Jan 14, 2010 7:43 am

Was the information fairly recent?
I'm thinking that your ooma number used to belong to someone else and things never got cleared out.

joeed2
Posts:101
Joined:Wed Dec 23, 2009 8:52 pm

Re: Major security issue with My Ooma

Post by joeed2 » Thu Jan 14, 2010 8:25 am

True, Ooma recycles the numbers.

User avatar
Mike-o-Matic
Posts:169
Joined:Wed Nov 18, 2009 7:45 pm

Re: Major security issue with My Ooma

Post by Mike-o-Matic » Thu Jan 14, 2010 9:14 am

Or did you by chance buy the ooma unit used? Say, off of eBay or elsewhere?

If so, it was probably already activated and used to make calls, and the seller never cleaned up their account (or never even visited my.ooma.com). Ooma, Inc. would have no way of knowing about this, and it wouldn't be their fault.

Just an idea.
Customer Since: November 2009.
Number Port: ordered 12/14/09; completed 01/07/10.
Hardware: one Hub, one Scout, one Telo.
Service Level: Annual Premier.

JuanDiablo
Posts:3
Joined:Wed Jan 13, 2010 1:29 pm

Re: Major security issue with My Ooma

Post by JuanDiablo » Thu Jan 14, 2010 10:09 am

Nope, this was a brand new Ooma unit that was purchased during the first week in December, our phone number was ported roughly three weeks later and it has worked fairly well over the past six weeks.

To test if this other account was active I called their number from my cell phone and that call appeared in their logs. The voice mail I had access to was as recent as 1/8/2010 and as early as 11/20/2009. The call logs I can view span from 11/16/2009 to today.

To access my account I opened a different browser (Chrome) and was able to log in with my phone number and password. At this point I have the other account open in Firefox and my account open in Chrome. Firefox was set to remember my password and I had accessed My Ooma many times without any issues.

Again, zero confidence in their website security.

Groundhound
Posts:2711
Joined:Sat May 23, 2009 9:28 am
Location:Atlanta, GA

Re: Major security issue with My Ooma

Post by Groundhound » Thu Jan 14, 2010 11:52 am

JuanDiablo wrote: At this point I have the other account open in Firefox and my account open in Chrome. Firefox was set to remember my password and I had accessed My Ooma many times without any issues.
I'd send a screenshot of the other account by PM to Dennis P and/or Bobby B. http://www.ooma.com/forums/memberlist.php?mode=leaders

JuanDiablo
Posts:3
Joined:Wed Jan 13, 2010 1:29 pm

Re: Major security issue with My Ooma

Post by JuanDiablo » Thu Jan 14, 2010 3:14 pm

Here's a screenshot with our personal info blacked out.

Has anyone on this board looked into Ooma's website security or have any insight as to how such a major breech could happen?

joeed2
Posts:101
Joined:Wed Dec 23, 2009 8:52 pm

Re: Major security issue with My Ooma

Post by joeed2 » Fri Jan 15, 2010 10:52 am

Have you contacted Ooma?

I think your issue is beyond the scope of these forums. I'd interact directly with Ooma on this one. All we can do here is speculate, and speculation isn't going to solve this issue. Ooma would be better able to address your specific issue, and be able to trace the account, Mac address of the hardware, email address, phone numbers, etc.

amoney
Posts:586
Joined:Tue Dec 22, 2009 9:43 pm

Re: Major security issue with My Ooma

Post by amoney » Fri Jan 15, 2010 12:15 pm

Curious what verison of firefox are you running and if you delete all your cookies, etc. can you reproduce the problem which I am assuming you can.

I have firefox 3.5.6 and no issues.

I can only assume there is a issue on Ooma's end (account specific) that is exposed when using your version of firefox.

What has customer service have to say about this?
Comcast > Telo > WRT54G

joeed2
Posts:101
Joined:Wed Dec 23, 2009 8:52 pm

Re: Major security issue with My Ooma

Post by joeed2 » Fri Jan 15, 2010 2:29 pm

I don't believe he has contacted customer service. That's probably the best thing to do at this point. All we can do here is speculate, and speculation isn't going to solve anything.

Post Reply