Stevenson demonstrated the vulnerability on a test account he set up, automating a process that sent code after code to the browser until the right one was selected. That code then let him reset the account password. Based on his demonstration, it would take around a day to try out every possible code with Stevenson’s set up, but he says it could probably happen more quickly with a faster connection.
Frontier told ZDNet that it’s investigating the issue. “Out of an abundance of caution while the matter is being investigated, Frontier has shut down the functionality of changing a customer’s password via the web,” a company spokesperson said.