Language Selection

English French German Italian Portuguese Spanish

Glitch on Verizon Wireless Web Site Left Data at Risk

Filed under
Security

Verizon Wireless said yesterday that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Inc. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature.

There was no indication that anyone took advantage of the flaws or that any customer financial information, such as Social Security or credit card account numbers, was disclosed, Verizon Wireless spokesman Tom Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," Pica said.

Verizon Wireless said it had corrected the problem as of 2 a.m. yesterday. Pica said the company was still assessing whether it would notify customers about the situation.

The "My Account" feature has been available on the Verizon Wireless Web site for five years. Pica said the company does not yet know how long the flawed coding had been in place.

Pica confirmed the Web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- city and state -- and the make and model of phone the customer uses, Pica said.

The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account.
Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided washingtonpost.com with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one flaw but disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica.
Zdziarski said he later conducted other tests and found that the problem he discovered also could be exploited to transfer one customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming wireless calls and make calls that would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline when he reported the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out."

Pica said company technicians were unable to reproduce the phone-cloning scenario described by Zdziarski.

One of Verizon Wireless's competitors, Bellevue, Wash.-based T-Mobile International, disclosed in January that a security hole in its Web site exposed data on at least 400 customers, including a Secret Service agent. This year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton.

By Brian Krebs
The Washington Post

More in Tux Machines

Android Leftovers

Leftovers: OSS and Sharing

  • Apache Graduates Another Big Data Project to Top Level
    For the past year, we've taken note of the many projects that the Apache Software Foundation has been elevating to Top-Level Status. The organization incubates more than 350 open source projects and initiatives, and has squarely turned its focus to Big Data and developer-focused tools in recent months. As Apache moves Big Data projects to Top-Level Status, they gain valuable community support. Only days ago, the foundation announced that Apache Kudu has graduated from the Apache Incubator to become a Top-Level Project (TLP). Kudu is an open source columnar storage engine built for the Apache Hadoop ecosystem designed to enable flexible, high-performance analytic pipelines. And now, Apache Twill has graduated as well. Twill is an abstraction over Apache Hadoop YARN that reduces the complexity of developing distributed Hadoop applications, allowing developers to focus more on their application logic.
  • Spark 2.0 takes an all-in-one approach to big data
    Apache Spark, the in-memory processing system that's fast become a centerpiece of modern big data frameworks, has officially released its long-awaited version 2.0. Aside from some major usability and performance improvements, Spark 2.0's mission is to become a total solution for streaming and real-time data. This comes as a number of other projects -- including others from the Apache Foundation -- provide their own ways to boost real-time and in-memory processing.
  • Why Uber Engineering Switched from Postgres to MySQL
    The early architecture of Uber consisted of a monolithic backend application written in Python that used Postgres for data persistence. Since that time, the architecture of Uber has changed significantly, to a model of microservices and new data platforms. Specifically, in many of the cases where we previously used Postgres, we now use Schemaless, a novel database sharding layer built on top of MySQL. In this article, we’ll explore some of the drawbacks we found with Postgres and explain the decision to build Schemaless and other backend services on top of MySQL.
  • GNU Hyperbole 6.0.1 for Emacs 24.4 to 25 is released
    GNU Hyperbole (pronounced Ga-new Hi-per-bo-lee), or just Hyperbole, is an amazing programmable hypertextual information management system implemented as a GNU Emacs package. This is the first public release in 2016. Hyperbole has been greatly expanded and modernized for use with the latest Emacs 25 releases; it supports GNU Emacs 24.4 or above. It contains an extensive set of improvements that can greatly boost your day-to-day productivity with Emacs and your ability to manage information stored across many different machines on the internet. People who get used to Hyperbole find it helps them so much that they prefer never to use Emacs without it.
  • Belgium mulls reuse of banking mobile eID app
    The Belgium government wants to reuse ‘Belgian Mobile ID’ a smartphone app for electronic identification, developed by banks and telecom providers in the country. The eID app could be used for eGovernment services, and the federal IT service agency, Fedict, is working on the app’s integration.
  • Water resilience that flows: Open source technologies keep an eye on the water flow
    Communities around the world are familiar with the devastation brought on by floods and droughts. Scientists are concerned that, in light of global climate change, these events will only become more frequent and intense. Water variability, at its worst, can threaten the lives and well-beings of countless people. Sadly, humans cannot control the weather to protect themselves. But according to Silja Hund, a researcher at the University of British Columbia, communities can build resilience to water resource stress. Hund studies the occurrence and behavior of water. In particular, she studies rivers and streams. These have features (like water volume) that can change quickly. According to Hund, it is essential for communities to understand local water systems. Knowledge of water resources is helpful in developing effective water strategies. And one of the best ways to understand dynamic water bodies like rivers is to collect lots of data.

Development News

  • JavaScript keeps its spot atop programming language rankings
    U.K.-based technology analyst firm RedMonk just released the latest version of its biannual rankings of programming languages, and once again JavaScript tops the list, followed by Java and PHP. Those are same three languages that topped RedMonk’s list in January. In fact, the entire top 10 remains the same as it was it was six months ago. Perhaps the biggest surprise in Redmonk’s list—compiling the “performance of programming languages relative to one another on GitHub and Stack Overflow”—is that there are so few surprises, at least in the top 10.
  • Plenty of fish in the C, IEEE finds in language popularity contest
    It's no surprise that C and Java share the top two spots in the IEEE Spectrum's latest Interactive Top Programming Languages survey, but R at number five? That's a surprise. This month's raking from TIOBE put Java at number one and C at number two, while the IEEE reverses those two, and the IEEE doesn't rank assembly as a top-ten language like TIOBE does. It's worth noting however that the IEEE's sources are extremely diverse: the index comprises search results from Google, Twitter, GitHub, StackOverflow, Reddit, Hacker News, CareerBuilder, Dice, and the institute's own eXplore Digital Library. Even then, there are some oddities in the 48 programming environments assessed: several commenters to the index have already remarked that “Arduino” shouldn't be considered a language, because code for the teeny breadboard is written in C or C++.

Security Leftovers