A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with.

The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn’t want others to have access to his account information.

“I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn’t want my account information to exposed in such way,” Collier said via email.

In his explanation of the attack, Collier said that simply modifying the subscriber’s phone number in the URL would give an attacker access to the SMS history for the targeted account. So, for example, a URL like the one below could be modified to include any other valid Verizon Wireless number, giving the attacker the ability to download a CSV file of the texts to and from the user’s phone. A sample URL would look like this:

https://wbillpay.verizonwireless.com/vzw/accountholder/unbilledusage/UnbilledMessaging.action?d-455677-e=2&1548506v4671=1&mtn=5555555555

Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose. The vulnerability has some similarities to one that was discovered and exploited on AT&T’s site in 2010, leading to the exposure of personal information belonging to more than 100,000 iPad owners. Andrew Auernheimer, also known as Weev, gave the data to a media site and eventually was convicted of identity fraud and other crimes, and is serving more than three years in prison.

However, Collier said he doesn’t see any comparisons between what he found and what Auernheimer did, specifically because Collier disclosed his findings to Verizon immediately and didn’t go public with the information until the flaw was fixed.

“This was reported in responsible disclosure, so I don’t see how this is being compared to Weev who had malicious intent,” Collier said.

Image from Flickr photos of Eric Hauser

Categories: Social Engineering, Vulnerabilities, Web Security

Comments (9)

  1. mike mccraig
    1

    It is the *exact* same thing. You are guilty under the CFAA for the exact same crimes that convicted Auernheimer and should (one would think) be tried on the same set of charges. I eagerly await the DA of whatever state you reside in charging you and convicting you on the same grounds. 41 months sounds about right. You violated the TOS of Verizon’s website and should serve hard time, criminal scum.

    Reply
    • noMike
      2

      It’s not the *exact* same thing at all, the article says the other fellow was convicted of Identity Fraud, but you do have a point. Any DA could file the CFAA charges and the poor fellow would indeed have to defend himself.

      Just like reporting to the FBI that you got hacked, but when you did a scan to verify the attack you too broke the law and are now under the thumb.

      Reply
  2. Allana
    3

    Without people like this who purposely test the security measures, many flaws would not be found until someone with malicious intent took advantage of it. When someone finds a flaw and reports it to the proper authorities or companies, than they should not be charged with a crime. They should be rewarded.

    Reply
  3. acline
    4

    Since I can’t access the “explanation of the attack” I can only go by what mr. collier says in the article. I’m taking him at the word of being a security researcher. How you can call this man a scum and he deserves jail time is beyond ridiculous. He reported this to Verizon BEFORE any public disclosure. Would you rather he had not reported the vulnerability? How stupid is that????

    Reply
    • Angus
      5

      The comment you’re replying to is satirising the legal system under which security researchers really do get sent to jail for this sort of thing.

      Reply
  4. Emily
    6

    I was a kid in grammar school when my father told me “If you ever see a dead body, Girl, just keep walking and don’t tell a soul.” He told about how, if the police don’t want to do the work of investigating, or if they can’t solve the case, you are their link to it.
    Yeah, I keep walking, especially after 25 years of court reporting to verify that, by golly, my daddy had a point.

    Reply
  5. GradyPhilpott
    7

    If Edward Snowden had initiated a Congressional inquiry into the matters of the NSA, he wouldn’t be sitting in some rat hole in Russia and would be considered a true whistle-blower.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>