Verizon Wireless – how a simple bug could cause a disaster

A researcher discovered a serious vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone to download user’s SMS message history.

A security researcher found a simple flaw that exposed Verizon Wireless users’ SMS history, the critical flaw allows an attacker to access the list of SMS history viewing all the numbers of users that communicated with the victim. The exploitation of the critical bug is very simple, the attacker only needs to modify the subscriber’s phone number in the URL to access to the SMS history of the victim’s account on Verizon Wireless’s Web-based customer portal . Within the URL is recognizable the variable ‘Mtn’ associated with the mobile number, the attacker could manipulate it to target a specific user.
https://wbillpay.verizonwireless.com/vzw/accountholder/unbilledusage/UnbilledMessaging.action?d-455677-e=2&1548506v4671=1&mtn=999999999
“Message details consist of: Date, Time, To, From, and Direction an SMS or MMS took place. With no user interaction, all that was required was a subscriber’s phone number.” the researcher explained.

The possible exploitation of the flaw has serious repercussion on the Verizon Wireless user’s privacy, any individual could download the spreadsheet containing the private information of any number, accessing to the contact lists and texting habits.

It is not first time that Verizon user’s privacy is threatened by a security issue, back in August, researcher ‘Cody Collier’ found that a simple URL exploit could allow any subscriber to extract data using ‘Download to SpreadSheet’ function.

At the moment Verizon’s site doesn’t offer any detailed analysis of the vulnerabilities neither provide info on the misuse of the flaw. Now Verizon has created a dedicated email contact, CorporateSecurity@verizonwireless.com, to field these security issues.

Just for curiosity the vulnerability presents some similarities to the one that was discovered and exploited on AT&T’s site in 2010 that caused a serious data breach. It was exposed personal information belonging to more than 100,000 iPad owners and the hacker Andrew Auernheimer, aka Weev, who gave the data to the media site was convicted of identity fraud.

Fortunately Collier reported the bug to the Verizon and waited for its disclosure that the company fixed it.
“This was reported in responsible disclosure, so I don’t see how this is being compared to Weev who had malicious intent,” Collier said.

Lesson learned:
Although a multinational company like Verizon has always been attentive to the problems of security, what happened is an indication of serious security issues. The development of the portal was clearly lacking input validation, but more serious is that have not been tested for functionality potentially accessible from the outside and that can have a serious impact on the privacy of users.
Security is an obligation, not a cost!

(Source: CDM, Pierluigi Paganini, Editor and Chief )