Major security issue with My Ooma
-
- Posts:3
- Joined:Wed Jan 13, 2010 1:29 pm
So this afternoon I opened up firefox, pointed it to my.ooma.com/inbox and found myself with full access to someone else's account. I wasn't prompted for any login information and the computer I'm using hasn't been out of my control.
I could listen to their voicemail, view their call logs and had complete control over their settings, personal information and password/security question.
Has anyone else encountered this situation or have any idea how it could have happened?
Needless to say, I now have zero confidence in Ooma protecting my account and personal information.
I could listen to their voicemail, view their call logs and had complete control over their settings, personal information and password/security question.
Has anyone else encountered this situation or have any idea how it could have happened?
Needless to say, I now have zero confidence in Ooma protecting my account and personal information.
Re: Major security issue with My Ooma
Was the information fairly recent?
I'm thinking that your ooma number used to belong to someone else and things never got cleared out.
I'm thinking that your ooma number used to belong to someone else and things never got cleared out.
Re: Major security issue with My Ooma
True, Ooma recycles the numbers.
- Mike-o-Matic
- Posts:169
- Joined:Wed Nov 18, 2009 7:45 pm
Re: Major security issue with My Ooma
Or did you by chance buy the ooma unit used? Say, off of eBay or elsewhere?
If so, it was probably already activated and used to make calls, and the seller never cleaned up their account (or never even visited my.ooma.com). Ooma, Inc. would have no way of knowing about this, and it wouldn't be their fault.
Just an idea.
If so, it was probably already activated and used to make calls, and the seller never cleaned up their account (or never even visited my.ooma.com). Ooma, Inc. would have no way of knowing about this, and it wouldn't be their fault.
Just an idea.
Customer Since: November 2009.
Number Port: ordered 12/14/09; completed 01/07/10.
Hardware: one Hub, one Scout, one Telo.
Service Level: Annual Premier.
Number Port: ordered 12/14/09; completed 01/07/10.
Hardware: one Hub, one Scout, one Telo.
Service Level: Annual Premier.
-
- Posts:3
- Joined:Wed Jan 13, 2010 1:29 pm
Re: Major security issue with My Ooma
Nope, this was a brand new Ooma unit that was purchased during the first week in December, our phone number was ported roughly three weeks later and it has worked fairly well over the past six weeks.
To test if this other account was active I called their number from my cell phone and that call appeared in their logs. The voice mail I had access to was as recent as 1/8/2010 and as early as 11/20/2009. The call logs I can view span from 11/16/2009 to today.
To access my account I opened a different browser (Chrome) and was able to log in with my phone number and password. At this point I have the other account open in Firefox and my account open in Chrome. Firefox was set to remember my password and I had accessed My Ooma many times without any issues.
Again, zero confidence in their website security.
To test if this other account was active I called their number from my cell phone and that call appeared in their logs. The voice mail I had access to was as recent as 1/8/2010 and as early as 11/20/2009. The call logs I can view span from 11/16/2009 to today.
To access my account I opened a different browser (Chrome) and was able to log in with my phone number and password. At this point I have the other account open in Firefox and my account open in Chrome. Firefox was set to remember my password and I had accessed My Ooma many times without any issues.
Again, zero confidence in their website security.
-
- Posts:2711
- Joined:Sat May 23, 2009 9:28 am
- Location:Atlanta, GA
Re: Major security issue with My Ooma
I'd send a screenshot of the other account by PM to Dennis P and/or Bobby B. http://www.ooma.com/forums/memberlist.php?mode=leadersJuanDiablo wrote: At this point I have the other account open in Firefox and my account open in Chrome. Firefox was set to remember my password and I had accessed My Ooma many times without any issues.
-
- Posts:3
- Joined:Wed Jan 13, 2010 1:29 pm
Re: Major security issue with My Ooma
Here's a screenshot with our personal info blacked out.
Has anyone on this board looked into Ooma's website security or have any insight as to how such a major breech could happen?
Has anyone on this board looked into Ooma's website security or have any insight as to how such a major breech could happen?
Re: Major security issue with My Ooma
Have you contacted Ooma?
I think your issue is beyond the scope of these forums. I'd interact directly with Ooma on this one. All we can do here is speculate, and speculation isn't going to solve this issue. Ooma would be better able to address your specific issue, and be able to trace the account, Mac address of the hardware, email address, phone numbers, etc.
I think your issue is beyond the scope of these forums. I'd interact directly with Ooma on this one. All we can do here is speculate, and speculation isn't going to solve this issue. Ooma would be better able to address your specific issue, and be able to trace the account, Mac address of the hardware, email address, phone numbers, etc.
Re: Major security issue with My Ooma
Curious what verison of firefox are you running and if you delete all your cookies, etc. can you reproduce the problem which I am assuming you can.
I have firefox 3.5.6 and no issues.
I can only assume there is a issue on Ooma's end (account specific) that is exposed when using your version of firefox.
What has customer service have to say about this?
I have firefox 3.5.6 and no issues.
I can only assume there is a issue on Ooma's end (account specific) that is exposed when using your version of firefox.
What has customer service have to say about this?
Comcast > Telo > WRT54G
Re: Major security issue with My Ooma
I don't believe he has contacted customer service. That's probably the best thing to do at this point. All we can do here is speculate, and speculation isn't going to solve anything.