Language Selection

English French German Italian Portuguese Spanish

Glitch on Verizon Wireless Web Site Left Data at Risk

Filed under

Verizon Wireless said yesterday that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Inc. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature.

There was no indication that anyone took advantage of the flaws or that any customer financial information, such as Social Security or credit card account numbers, was disclosed, Verizon Wireless spokesman Tom Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," Pica said.

Verizon Wireless said it had corrected the problem as of 2 a.m. yesterday. Pica said the company was still assessing whether it would notify customers about the situation.

The "My Account" feature has been available on the Verizon Wireless Web site for five years. Pica said the company does not yet know how long the flawed coding had been in place.

Pica confirmed the Web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- city and state -- and the make and model of phone the customer uses, Pica said.

The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account.
Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one flaw but disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica.
Zdziarski said he later conducted other tests and found that the problem he discovered also could be exploited to transfer one customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming wireless calls and make calls that would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline when he reported the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out."

Pica said company technicians were unable to reproduce the phone-cloning scenario described by Zdziarski.

One of Verizon Wireless's competitors, Bellevue, Wash.-based T-Mobile International, disclosed in January that a security hole in its Web site exposed data on at least 400 customers, including a Secret Service agent. This year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton.

By Brian Krebs
The Washington Post

More in Tux Machines

GParted Live 0.27.0-1 Disk Partitioning Live CD Out Now, Based on GParted 0.27.0

Just one day after announcing the release of the GParted 0.27.0 open-source partition editor software, Curtis Gedak is informing us about the availability of the GParted Live 0.27.0-1 stable release. Read more

Netrunner Core 16.09 "Avalon" Is Based on Debian GNU/Linux 8, KDE Plasma 5.7.5

Today, October 23, 2016, the development team behind the Debian-based Netrunner GNU/Linux distribution proudly announced the release of Netrunner Core 16.09 "Avalon." Read more

today's leftovers

  • Acer updates Chromebook 15 with 12-hour battery life -- $199 exclusively at Walmart
    Chromebooks are not for everyone, but for many home users, it is absolute perfection. If you live in the web browser -- as many people do nowadays -- laptops running Google's Linux-based Chrome OS are a godsend because they are maintenance free. No need for confusing OS upgrades or anti-virus software. It just works, and it works well. Since they can now run Android apps too, they could become a serious threat to Microsoft and Windows 10. One of the most attractive aspects of Chromebooks is price -- they are often quite affordable. Today, Acer refreshes its 15.6 inch Chromebook 15 with a mind-boggling 12 hours of battery life. Best of all? It starts at $199. Yes, this model will get Android app support in a future update too.
  • Of Life, Linux and Karma Angels
    Angel filed appeal after appeal only to be denied on every attempt. Texas is an "at will" employment state so being terminated for cause can mean anything. Over the next few weeks, Angel became more and more fearful of losing her house, as she had just purchased it a year before. On top of that, her HP desktop had taken a nose dive into severe brokeness and that made it extra difficult for her to look for work. I put together a decent desktop for her and installed it that day, and was a Linux computer. Angel didn't have even the slightest problem with the new machine, and she wasn't particularly good at using one. So, let's put another slash in the falsehood that Linux is too hard for the everyday user. Most of them anyway. YMMV. To her glee, the OS picked up and configured her Epson all in one without her lifting a finger to do so. She almost clapped for happiness, stating that in Windows, installing that printer had been a nightmare, even with the included driver CD. And just to pinpoint the time frame for you, it was the summer of 2006.
  • Deus Ex: Mankind Divided to launch on Linux in November, Mac version delayed
    Feral Entertainment has announced that Deus Ex: Mankind Divided will be launching on Linux in November. Feral Interactive is currently working on the Linux port of the game. In September the game development studio announced that Deus Ex: Mankind Divided would make its way to two additional platforms: Linux and Mac. The Linux version of the game will most likely make use of OpenGL or Vulkan to power its graphics engine.
  • Mad Max: It Came From The Desert to Linux
    First of all, let me get one thing straight out of the way, so you know where I come from. I did not like the recent Mad Max movie. Like, not at all. Not that I mind the post apocalyptic theme. I used to like the older Mad Max’s just fine (probably the first one the best). The new one…meh. The Max character had virtually no back story (as thin as a sheet of paper) and he was just acting like a crazy person from beginning to end. The story’s premise was boring and just an excuse for endless and not so impressive action scenes. So there was nothing redeeming it. I know this is not the mainstream opinion of the movie (everyone apparently thought it was the best thing ever since sliced bread) so I can only attribute this phenomenon to either mass hysteria or simply a clear decrease in movie expectations. The Force Awakens‘ success, despite being a mediocre movie and certainly underwhelming compared to the original trilogy, certainly echoes the same trend. I guess you cannot beat nostalgia. Just tag a Millennium Falcon on and you get a free ride no matter how incoherent the story or the characters are.
  • Budgie Remix 16.10 Overview
  • I Switched To OpenSuse Tumbleweed :)
  • 50-day Moving Average Of Red Hat, Inc. (NYSE:RHT) At $76.67
  • Red Hat, Inc. (NYSE: RHT) – Is this large market cap stock undervalued?
  • Fedora 25 new features, Perl removed from Build Root
    Fedora is the fast-paced bleeding-edge distribution of Red Hat. Fedora 25 is the second release of 2016 the other being Fedora 24. Let’s discover what lies in the future of this popular Linux distribution especially among developers.
  • "dnf update" considered harmful
    Updating a Linux distribution has historically been done from the command line (using tools like Debian's apt-get, openSUSE's zypper, or Fedora's yum—or its successor dnf). A series of crashes during system updates on Fedora 24 led Adam Williamson to post a note to fedora-devel and other mailing lists warning people away from running "dnf update" within desktop environments. It turns out that doing so has never truly been supported—though it works the vast majority of the time. The discussion around Williamson's note, however, makes it clear that the command is commonly run that way and that at least some users are quite surprised (and unhappy) that it isn't a supported option.
  • Supporting UEFI secure boot in Debian
    The Debian project can be accused of many things, but jumping too quickly on leading-edge technology is not one of them. That can be seen in, among other things, the fact that there is still not a version of the distribution that supports the UEFI secure boot mechanism. But, as Ben Hutchings explained during his 2016 Kernel Recipes talk, such support is in the works, and it will be implemented in a uniquely Debian-like manner.
  • The Lenovo Yoga Book Is the Future of Laptops, But It's Missing an Operating System
    For this review I spent a week with the Android version of Lenovo’s slick new backflipping laptop. Guts-wise it’s identical to the Windows 10 variant. They both feature Intel Atom x5-Z8550 processors, 4GB of RAM, 64GB of on-device storage, and 1920 x 1200 resolution displays. The Android version starts at $500 and the Windows version starts at $550.
  • Another Broken Nexus 5
    In late 2013 I bought a Nexus 5 for my wife [1]. It’s a good phone and I generally have no complaints about the way it works. In the middle of 2016 I had to make a warranty claim when the original Nexus 5 stopped working [2]. Google’s warranty support was ok, the call-back was good but unfortunately there was some confusion which delayed replacement. Once the confusion about the IMEI was resolved the warranty replacement method was to bill my credit card for a replacement phone and reverse the charge if/when they got the original phone back and found it to have a defect covered by warranty. This policy meant that I got a new phone sooner as they didn’t need to get the old phone first. This is a huge benefit for defects that don’t make the phone unusable as you will never be without a phone. Also if the user determines that the breakage was their fault they can just refrain from sending in the old phone.