Language Selection

English French German Italian Portuguese Spanish

Glitch on Verizon Wireless Web Site Left Data at Risk

Filed under
Security

Verizon Wireless said yesterday that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Inc. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature.

There was no indication that anyone took advantage of the flaws or that any customer financial information, such as Social Security or credit card account numbers, was disclosed, Verizon Wireless spokesman Tom Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," Pica said.

Verizon Wireless said it had corrected the problem as of 2 a.m. yesterday. Pica said the company was still assessing whether it would notify customers about the situation.

The "My Account" feature has been available on the Verizon Wireless Web site for five years. Pica said the company does not yet know how long the flawed coding had been in place.

Pica confirmed the Web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- city and state -- and the make and model of phone the customer uses, Pica said.

The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account.
Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided washingtonpost.com with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one flaw but disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica.
Zdziarski said he later conducted other tests and found that the problem he discovered also could be exploited to transfer one customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming wireless calls and make calls that would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline when he reported the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out."

Pica said company technicians were unable to reproduce the phone-cloning scenario described by Zdziarski.

One of Verizon Wireless's competitors, Bellevue, Wash.-based T-Mobile International, disclosed in January that a security hole in its Web site exposed data on at least 400 customers, including a Secret Service agent. This year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton.

By Brian Krebs
The Washington Post

More in Tux Machines

New GNU/Linux Releases: TheSSS, Arkas OS, Black Lab, and Parrot

  • The Smallest Server Suite Gets Special Edition with PHP 7.0.15, Apache 2.4.25
    4MLinux developer Zbigniew Konojacki informs Softpedia about the availability of a special edition of the TheSSS (The Smallest Server Suite) Live Linux operating system. Carrying the same version number as the original TheSSS release, namely 21.0, and dubbed TheSSS7, the new flavor ships with more recent PHP packages from the 7.0.x series. Specifically, TheSSS7 includes PHP 7.0.15, while TheSSS comes with PHP 5.6.30.
  • Descent OS Is Dead, Arkas OS Takes Its Place and It's Based on Ubuntu 16.04 LTS
    Some of you out there might remember the Descent OS distro created by Brian Manderville and based on the popular Ubuntu Linux operating system, and today we have some bad news for them as the development is now officially closed. Descent OS first appeared in February 2012 as a lightweight Ubuntu derivative built around the GNOME 2 desktop environment. Back then, it was known as Descent|OS, and was quite actively developed with new features and components borrowed from the latest Ubuntu releases.
  • Black Lab Linux 8.1 Out Now with LibreOffice 5.3, It's Based on Ubuntu 16.04 LTS
    Softpedia was informed today by the Black Lab Software project about the general availability of the first point release to the Black Lab Linux 8.0 operating system series. Serving as a base release to the company's enterprise offerings and equipped with all the long-term supported Linux 4.4 kernel from the Ubuntu 16.04 LTS (Xenial Xerus) operating system, Black Lab Linux 8.1 comes with up-to-date components and the latest security patches ported from Ubuntu's repositories as of February 15, 2017. "Today we are pleased to announce the release of Black Lab Linux 8.1. Our first incremental release to the 8.0 series. In this release we have brought all security updates up to Feb 15, 2017, as well as application updates," said Roberto J. Dohnert, CEO of Black Lab Software.
  • Parrot 3.5 – Call For Betatesters
    We did our best to prepare these preview images including all the updates and the new features introduced since the last release, but now we need your help to understand how to make it even better, and of course we need your help to understand if there is something that doesn’t work as expected or something that absolutely needs to be included in the final release.

Linux and Graphics

  • Linux Kernel 4.10 Now Available for Linux Lite Users, Here's How to Install It
    Minutes after the release of Linux kernel 4.10 last evening, Jerry Bezencon from the Linux Lite project announced that users of the Ubuntu-based distribution can now install it on their machines. Linux 4.10 is now the most advanced kernel branch for all Linux-based operating systems, and brings many exciting new features like virtual GPU support, better writeback management, eBPF hooks for cgroups, as well as Intel Cache Allocation Technology support for the L2/L3 caches of Intel processors.
  • Wacom's Intuos Pro To Be Supported By The Linux 4.11 Kernel
    Jiri Kosina submitted the HID updates today for the Linux 4.11 kernel cycle.
  • Mesa 13.0.5 Released for Linux Gamers with over 70 Improvements, Bug Fixes
    We reported the other day that Mesa 13.0.5 3D Graphics Library will be released this week, and it looks like Collabora's Emil Velikov announced it earlier this morning for all Linux gamers. Mesa 13.0.5 is a maintenance update to the Mesa 13.0 stable series of the open source graphics stack used by default in numerous, if not all GNU/Linux distributions, providing gamers with powerful drivers for their AMD Radeon, Nvidia, and Intel GPUs. It comes approximately three weeks after the Mesa 13.0.4 update.
  • mesa 13.0.5

Interview: Thomas Weissel Installing Plasma in Austrian Schools

With Plasma 5 having reached maturity for widespread use we are starting to see rollouts of it in large environments. Dot News interviewed the admin behind one such rollout in Austrian schools. Read more

today's leftovers

  • Top Lightweight Linux Distributions To Try In 2017
    Today I am going to discuss the top lightweight Linux distros you can try this year on your computer. Although you got yourself a prettyLinuxle linux already but there is always something new to try in Linux. Remember I recommend to try this distros in virtualbox firstly or with the live boot before messing with your system. All distro that I will mention here will be new and somewhat differ from regular distros.
  • [ANNOUNCE] linux-4.10-ck1 / MuQSS CPU scheduler 0.152
  • MSAA Compression Support For Intel's ANV Vulkan Driver
    Intel developer Jason Ekstrand posted a patch over the weekend for enabling MSAA compression support within the ANV Vulkan driver.
  • Highlights of YaST development sprint 31
    As we announced in the previous report, our 31th Scrum sprint was slightly shorter than the usual ones. But you would never say so looking to this blog post. We have a lot of things to talk you about!
  • Comparing Mobile Subscriber Data Across Different Sources - How accurate is the TomiAhonen Almanac every year?
    You’ll see that last spring I felt the world had 7.6 Billion total mobile subscriptions when machine-to-machine (M2M) connections are included. I felt the world had 7.2 Billion total subscriptions when excluding M2M and just counting those in use by humans. And the most relevant number (bottom line) is the ‘unique’ mobile users, which I felt was an even 5.0 Billion humans in 2015. The chart also has the total handsets-in-use statistic which I felt was 5.6 Billion at the end of 2015. Note that I was literally the first person to report on the distinction of the unique user count vs total subscriptions and I have been urging, nearly begging for the big industry giants to also measure that number. They are slowly joining in that count. Similarly to M2M, we also are now starting to see others report M2M counts. I have yet to see a major mobile statistical provider give a global count of devices in use. That will hopefully come also, soon. But lets examine these three numbers that we now do have other sources, a year later, to see did I know what I was doing.