dslreports logo
 story category
Verizon Website Flaw Exposes 9 Million Broadband User Accounts

A major security flaw in Verizon's customer service support system exposed the personal information of nine million Verizon broadband customers. A report over at Buzzfeed notes how the now-fixed vulnerability was trivial to exploit; users simply needed to obtain and spoof a target's IP address (possible using a simple browser plugin), which allowed a user to fool Verizon's systems into thinking they were a Verizon customer. From there, it was easy to get Verizon support reps' help in changing the account passwords:

quote:
Click for full size
Within a few hours of the tip, and despite having no technical background, with the explicit permission of several Verizon account holders, I was able to convince Verizon customer service to reset an account password, giving me total control of a Verizon account. It was surprisingly easily done. It took me only two downloads, copy and pasting some information from an email, and a few interactions with Verizon customer support. It was just a matter of following step-by-step instructions. In other words, if you can follow a recipe, you could have probably gotten a Verizon password reset.
The exploit was discovered by Cinder Chief Information Security Officer Eric Taylor, who requested Buzzfeed contact Verizon before publicizing the flaw. Verizon gave DSLReports the following statement on the vulnerability:
quote:
"“This issue was caused by a code error in a software update that occurred on April 22, 2015. Once it was brought to our attention, our experts immediately investigated the issue and repaired the error within hours on May 12.

“We have no reason to believe that any customers were impacted by this, other than those who’s information was used by Buzzfeed. If we discover that any were, we will contact them directly.

“We appreciate the responsible manner in which Buzzfeed brought this matter to our attention. Addressing issues like this collaboratively is a constructive addition to our continuous actions to safeguard the security of customers’ information.”"
Another security flaw was found in Verizon's MyFiOS app back in January that allowed hackers access to FiOS customer information and accounts.
view:
topics flat nest 

MDA
Auto Negotiating
Premium Member
join:2013-09-10
Minneapolis, MN

MDA

Premium Member

Perhaps...

Verizon wants to leave customer websites un-upgraded and exit the security market?

birdfeedr
MVM
join:2001-08-11
Warwick, RI

1 edit

birdfeedr

MVM

Re: Perhaps...

said by MDA:

Verizon wants to leave customer websites un-upgraded and exit the security market?

Not sure where you're pulling that from. It is reported that the flaw was addressed and corrected.

[edit to add]I read the article. The code flaw appears to be recent and was corrected. While exposure is not minimal, it is not a case of "unresponsive evil corporation". However, it cannot be denied that VZ's customer-facing website is complex and byzantine.

MDA
Auto Negotiating
Premium Member
join:2013-09-10
Minneapolis, MN
Netgear CM600
Asus RT-AC66U B1

1 recommendation

MDA

Premium Member

Re: Perhaps...

Relax. Its a play on their behavior of wanting to exit the wireline business and leave infrastructure un-upgraded.

Id hope they wouldnt neglect security otherwise most of their user base would be gone. Thats why i joked about it.

Defiance
Computer Elite
Premium Member
join:2002-09-11
Minocqua, WI

Defiance

Premium Member

hmm

There better be some sort of monetary recourse here. Now users need to protect their identity from hackers who have their information. I say Verizon has to pay for that protection.

CosmicDebri
Still looking for intelligent life
join:2001-09-01
Lake City, FL

CosmicDebri

Member

Won't sell your data...

They won't sell your data to 3rd parties, but they'll make it easy for their customer service reps to be 'socially engineered'.
8744675
join:2000-10-10
Decatur, GA

8744675

Member

It used to be worse...

Several years ago I tried to log on to Verizon Wireless site but forgot my user name and password. I went to the forgot user id link and entered what I thought was the user id I registered with. It then displayed a list with 1 the user name that I entered. I selected that thinking it was my account and it returned the security question, What is your favorite color? I entered blue and it then asked me to enter a new password and voila, it displayed another customer's account! I could see their billing history, banking info, everything. I couldn't believe it. I took down their e-mail address so I could notify them what happened and that I changed their password to xxx so they could log on and change it back.

I logged out and went back, and tried the forgot user name again using different common user names. It returned a query of all similar user names to choose from! Dumb, dumb, dumb. If you pick an account who used the "What's your favorite color" password hint, it would only take guessing about 10 colors to get it right and access their account.

I couldn't believe how many stupid user Id's like User1, User2 or Verizon1, Verizon2 there were!

The actual account holder e-mailed me back to see If I was legit and I explained it again.

I also wrote a scathing e-mail to Verizon shaming them for their shitty security questions that anybody can guess in 10 tries and for displaying a query of similar user names instead of requiring an exact match for a forgotten user name recovery. The never replied, but the site was revamped shortly after.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

Re: It used to be worse...

You don't get 10 tries; you get 3 and the account gets locked.

graycorgi
Premium Member
join:2004-02-23

graycorgi

Premium Member

Re: It used to be worse...

Blue, Green, and Purple make up about 75% of the responses to that question.

»www.livescience.com/3410 ··· ors.html

anon4fite
@suddenlink.net

anon4fite

Anon

Buzzfeed as a source?

You won't believe the ONE thing that Verizon is doing to keep you gaining weight!

Seriously though, Buzzfeed as a source makes me think today is April fool's or something. I hope they don't try to become a serious news source. I think I heard Fox News sourcing them as well.

TAZ
join:2014-01-03
Tucson, AZ

TAZ

Member

Poor explanation

quote:
users simply needed to obtain and spoof a target's IP address (possible using a simple browser plugin)
BS. They added a (false) X-Forwarded-For HTTP header, which is different from "spoofing an IP" (which is effectively impossible to do in this context).

Also, in general, it's not a good idea to look for exploits on third-party sites unless you've been granted authorization to do so (e.g. via a bug bounty program like the ones Google, Facebook and others operate). In this case it seems mild enough considering all they did was add an HTTP header and had the permission of the target account holder, but I mention this for general reference.

spike010101
Premium Member
join:2003-11-28
Austin, TX

spike010101

Premium Member

Re: Poor explanation

Yea this is what bugged me as well. You can't "spoof" an ip address of a tcp connection you actually want to be established. It's like sending a piece of mail to someone expecting a reply but you provided the wrong return address, it just doesn't work like that.

As for the X-Forwarded-For header, that's Verizon's poor choice of how they handle that.

Rogue Wolf
An Easy Draw of a Sad Few
join:2003-08-12
Troy, NY

Rogue Wolf

Member

Let's all pretend to be surprised! Again.

Security isn't "sexy"; it doesn't boost stock prices or look good on a glossy advertisement. So it's always dead last on the corporate priority sheet (if it even makes it on there) until the inevitable happens and a breach of some sort occurs, which is when the corporate braintrust makes apologetic-sounding mouth-noises while offering "credit services" to try to mitigate the damage. And then sure, all minds will be on the topic of security... until the public's watchdogs get distracted, and then the status quo returns and the whole cycle starts again.

The only way we'll ever get out of this loop is to start holding executives legally responsible for breaches involving their customers' data. But that would require regulations- and then you might as well be waving the hammer and sickle, ya America-hatin' commie.

deltasix
@google.com

deltasix

Anon

Re: Let's all pretend to be surprised! Again.

There is still another exploit that was not patched and it's worse then customers account details...

linicx
Caveat Emptor
Premium Member
join:2002-12-03
United State

linicx

Premium Member

What I think

This is why I add a layer of protection in an extra password. Before you access my accounts you have to verbalize the password which is different than the Internet password to customer support. Been doing it for years.