October 23, 2013
As recently as August, a Verizon glitch exposed government officials' text message histories in a way that would have allowed anyone to discern their inner circles, according to security researchers. The vulnerability was fixed after a non-government customer pointed out the danger to the company this summer.
Attackers could simply type their target's phone number into a URL to see a spreadsheet of text message contacts, timestamps and dates, according to researchers. The content of the messages was not visible.
"This was a very basic Web application security flaw that was trivial to exploit. All you need is a browser, no special hacking tool," said Johannes B. Ullrich, dean of research for the SANS Technology Institute.
According to a report by Kaspersky Lab on Monday, "Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose.”
Verizon Communications, as of September, was the largest telecommunications supplier to the federal government.
Verizon officials said no government users, or any other users, were affected by the bug. "No customer information was impacted," company spokesman Kevin Irland said. "Verizon takes customer privacy seriously. As soon as this was brought to the attention of our security teams, we addressed it."
Ullrich, however, said customer data must have been impacted, unless Verizon checked every Web log to rule out the possibility that an outsider had viewed the user’s information. Irland did not respond when asked whether the company examined all communication records.
Verizon would not be the first mobile carrier to accidentally display customer data.
"Sadly, these authentication bypass flaws are very common," Ullrich said.
This error somewhat resembles one triggered on AT&T’s site in 2010, leading to the exposure of personal information belonging to about 120,000 iPad owners, according to Kaspersky researchers.
Andrew Auernheimer, nicknamed “Weev,” shared the data with the media, was convicted of data theft and other crimes, and now is serving more than three years in prison.
Compared to the AT&T iPad situation, Ullrich said, "I think the Verizon leak was worse, maybe they just got lucky that nobody exploited it."
October 23, 2013