Simple Bug Exposed Verizon Wireless Users’ SMS History

Verizon fios gateway flaw

A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with.

A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with.

The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn’t want others to have access to his account information.

“I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn’t want my account information to exposed in such way,” Collier said via email.

In his explanation of the attack, Collier said that simply modifying the subscriber’s phone number in the URL would give an attacker access to the SMS history for the targeted account. So, for example, a URL like the one below could be modified to include any other valid Verizon Wireless number, giving the attacker the ability to download a CSV file of the texts to and from the user’s phone. A sample URL would look like this:

https://wbillpay.verizonwireless.com/vzw/accountholder/unbilledusage/UnbilledMessaging.action?d-455677-e=2&1548506v4671=1&mtn=5555555555

Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose. The vulnerability has some similarities to one that was discovered and exploited on AT&T’s site in 2010, leading to the exposure of personal information belonging to more than 100,000 iPad owners. Andrew Auernheimer, also known as Weev, gave the data to a media site and eventually was convicted of identity fraud and other crimes, and is serving more than three years in prison.

However, Collier said he doesn’t see any comparisons between what he found and what Auernheimer did, specifically because Collier disclosed his findings to Verizon immediately and didn’t go public with the information until the flaw was fixed.

“This was reported in responsible disclosure, so I don’t see how this is being compared to Weev who had malicious intent,” Collier said.

Image from Flickr photos of Eric Hauser

Suggested articles