We have held off for hours on reporting on a major security breach, in the hopes that Sprint would act. However, they have not, so we will report as others have in the media.
By disabling JavaScript, you can enter any valid Sprint phone number with a Picture Mail account and gain access, provided you turn JavaScript back on after the transition authentication page is displayed. This is also even easier to perform on a non-JavaScript cell phone, as the Picture Mail system does not implement JavaScript in such a system.
As of this report the exploit is still active on the Picture Mail web site.
Update: The problem appears to have been fixed on Sprint’s end, entering a valid number without password now generates an internal server error.
Update 2: Minutes after our last report, Sprint has taken Picture Mail web services offline for “routine maintenance and enhancements”…
Update 3: Picture Mail services have again been restored.
