A 19-year-old from Grafton, New South Wales has found a hole in the mobile broadband networks of both Optus and Vodafone that allows users free access to the internet.
Tim Williams, manager of Black Hat Computers, told ZDNet Australia that he was able to gain free access to any website using an Optus prepaid account, which includes free access to social sites such as Facebook.com, as part of its plan.
"You are able to access Youtube.com and Bing.com with no credit on a prepaid Optus phone," he said. "If the URL contains youtube.com it will allow almost any traffic to pass through on port 80 and port 443."
Williams made a sub-domain on his own website prefaced with "youtube.com" and set up a proxy to allow him to access any website from this point, despite having no credit on his Optus account.
"I was able to browse some sites but it sometimes only loaded half the content on the web page."
From there, Williams switched to OpenVPN on his server to create a virtual private network and encrypt the traffic.
"I [then] had full internet access with no restrictions: everything worked perfect," he said.
Williams then tried the exploit with Vodafone, which also offers free social-networking access for its mobile plans, and said he was also able to get free internet access.
When he discovered the exploit, he informed Optus. He has made several attempts to contact Vodafone about the issue but said its customer service had been "less than good".
Optus confirmed to ZDNet Australia that it was aware of the hole, and that it had since been patched.
"Optus was alerted to an isolated issue regarding the potential misuse of some prepaid mobile plans to gain free internet access," Optus said. "Our investigation found that there was potential for this to occur through the deliberate misuse by a user."
"We have since resolved the issue and we thank the customer for alerting us to it."
Williams has made a one-click program that will allow people to gain free access to the internet through Vodafone using this hole; however, he is first consulting a lawyer on the legality of releasing such a program.
Williams created a YouTube video demonstrating the exploit in practice.
Vodafone told ZDNet Australia that the exploit is one that utilises the secure log-in hole that Vodafone has already announced it will close on 8 July.
"This is an example of one of the cases we mentioned in our communication to customers — ie, the use of services via the internet that require a personal log-in, such as web-based email and internet banking," Vodafone said. "We are also conducting a review of some of the other settings mentioned."
Williams said he had yet to test out this exploit using a Telstra device.