An 18-year-old security researcher from Sydney who found a flaw in Optus' mobile voicemail service has found another vulnerability, this time in Vodafone Australia's voicemail system.

The flaw was only resolved after Fairfax Media raised a series of questions about the vulnerability, which also exposed Vodafone customers to identity theft through unauthorised access to online services such as Google, which use two-factor authentication via a phone call.

Shubham Shah discovered a security flaw in the way Vodafone handled voicemail. Credit:Peter Rae

The Vodafone flaw allowed anyone to "bruteforce" a target's voicemail PIN using easily accessible technology and gain access to the phone subscriber's voicemail messages.

The practice of brute forcing involves hackers using software to try multiple PIN combinations to gain access to a service. Typically secure systems employ bruteforce protection that will lock hackers out after a certain number of incorrect attempts, but Vodafone's Australian system had no such protection.