Language Selection

English French German Italian Portuguese Spanish

Glitch on Verizon Wireless Web Site Left Data at Risk

Filed under
Security

Verizon Wireless said yesterday that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Inc. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature.

There was no indication that anyone took advantage of the flaws or that any customer financial information, such as Social Security or credit card account numbers, was disclosed, Verizon Wireless spokesman Tom Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," Pica said.

Verizon Wireless said it had corrected the problem as of 2 a.m. yesterday. Pica said the company was still assessing whether it would notify customers about the situation.

The "My Account" feature has been available on the Verizon Wireless Web site for five years. Pica said the company does not yet know how long the flawed coding had been in place.

Pica confirmed the Web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- city and state -- and the make and model of phone the customer uses, Pica said.

The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account.
Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided washingtonpost.com with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one flaw but disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica.
Zdziarski said he later conducted other tests and found that the problem he discovered also could be exploited to transfer one customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming wireless calls and make calls that would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline when he reported the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out."

Pica said company technicians were unable to reproduce the phone-cloning scenario described by Zdziarski.

One of Verizon Wireless's competitors, Bellevue, Wash.-based T-Mobile International, disclosed in January that a security hole in its Web site exposed data on at least 400 customers, including a Secret Service agent. This year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton.

By Brian Krebs
The Washington Post

More in Tux Machines

"You Don't Own What You Buy" and Openwashed Microsoft Entrapment

  • You Don't Own What You Buy: The Tetris Edition

    In the convoluted realm that has become copyright, licensing agreements, and SaaS-style everything, we've had something of a running series of posts that focus on the bewildering concept that we no longer own what we buy. Between movies simply being disappeared, features on gaming consoles being obliterated via firmware update, and entire eBook platforms simply ceasing to work, the benefits of handing over very real dollars have never been more fleeting.

  • The Surface Duo SDK is now available for macOS and Linux
  • Microsoft releases open source source code analyzer

    Looking to aid developers who rely on external software components, Microsoft has introduced a source code analyzer, Microsoft Application Inspector, to help surface features and other characteristics of source code.  Downloadable from GitHub, the cross-platform command-line tool is designed for scanning components prior to use to assist in determining what the software is or what it does. The data it provides can be useful in reducing the time needed to determine what software components do by examining the source code directly rather than relying on documentation. 

OpenMandriva Lx 4.1 RC is out

OpenMandriva Lx 4.1 is just around the corner. The team is publishing today the last milestone for current release cycle. OMLx 4.1 RC release is mostly bug fixing and update packages. Read more

Proprietary Software and Security Leftovers

  • FilelistCreator is a directory printer for Windows, macOS and Linux

    Many people organize their data into folders to quickly find what they want. The Windows operating system comes with default folders for images, videos, and downloads for example that many users of Windows use. Windows does not really provide good easily accessible options to compare the contents of two folders; this is especially the case if root folders contain hundreds of even thousands of files and folders.

  • Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender

    A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit. Last week, FireEye released a report about new attacks exploiting the now patched Citrix ADC vulnerability to install the new Ragnarok Ransomware on vulnerable networks. When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability. If detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and installs the Ragnarok ransomware onto the exploited device.

  • The Risks and Potential Impacts Associated with Open Source [Ed: DevOps site gives a platform to Black Duck -- a Microsoft-connected FUD arm against FOSS]
  • Security updates for Tuesday

    Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-oem, mysql-5.7, mysql-8.0, tcpdump, and tomcat8).

  • Hacker Releases 500,000 IoT Credentials

    One of the biggest issues that IoT has is keeping everything secure. Putting devices online is a double-edged sword: it allows benevolent useful services to connect to it, but it can also allow malicious agents to harvest data from it. This was proven a few days ago when a list of 500,000 IoT credentials made their way onto the Internet. The list was posted on a hacker forum for anyone to see and use.

  • Apple is attending a meeting in Washington on Monday as a Board Member of the CARIN Alliance on Health Record Sharing

    The CARIN Alliance is meeting with the Office of Management and Budget (OMB) on Monday, January 27, 2020 at 3:00 pm ET in Washington, D.C., and representatives from Apple and Microsoft will be attending via phone. Apple is an official CARIN Alliance Board Member and what transpires on Monday could affect Apple's work positively regarding their Health Record-Sharing Platform beyond their current work with the U.S. Department of Veterans Affairs.

  • Big tech CEOs are learning the art of the filibuster

    But it’s clear that as prevailing sentiment about big tech companies has darkened, tech CEOs see increasingly little value in having meaningful public conversations. Instead, they grit their teeth through every question, treating every encounter as something in between a legal deposition and a hostage negotiation.

    We saw this in 2018, when the New Yorker profiled Mark Zuckerberg. We saw it again last year, when Jack Dorsey went on a podcast tour. At some point this year Tim Cook will probably give a zero-calorie interview to someone, and if it’s a slow-enough news day I’ll write this column for a fourth time.

Red Hat vs. SUSE vs. Canonical Contributions To The Mainline Linux Kernel Over The 2010s

After last week looking at the AMD/Intel/NVIDIA contributions to the mainline Linux kernel over the past number of years, there were reader requests for seeing how some of the top distributions compare namely Red Hat, SUSE, and Canonical. These graphs today are looking at the contributions by SUSE, Red Hat, and Canonical to the mainline Linux kernel. Keep in mind this is the Git commits made from using the respective corporate domains for each organization. Read more