Verizon website glitch potentially exposed texting data of any phone number

By on October 21, 2013, 2:30 PM
verizon, glitch, url glitch, texting data, security vulnerability

A recent report from security researcher Prvsec suggests a simple URL hack may have exposed the texting data of tens of millions of Verizon customers. The vulnerability was fixed last month after the security researcher privately disclosed it to the carrier but the glaring oversight is no doubt embarrassing for the nation’s largest wireless provider.

The hack involved Verizon’s “download to spreadsheet” function on their website which lets customers download a CSV file of the date, time and the recipient of texts send and received. The URL to download the CSV file contained the user’s phone number and when that number was changed, it would let a user download a report for the associated URL number. Oops.

In an interview with The Verge, the researcher said he disclosed the hack in a responsible way with no ill intent. What’s more, he made sure that it did not become public until after Verizon had a chance to patch it. The researcher said he was a Verizon customer himself so he wouldn’t want his own data exposed in such a manner.

The researcher did criticize Verizon’s reporting process, however. It was reportedly an intricate and lengthy ordeal just to get in touch with the security team and once the bug had been reported, the status of the fix wasn’t updated for months. It should be easier to reach out, otherwise serious vulnerabilities like this could simply go unreported as researchers wouldn’t want to deal with the hassle of dealing with the process.

Verizon confirmed the report and said they addressed it as soon as it was brought to the attention of the security team. As such, no customer information was impacted.




User Comments: 2

Got something to say? Post a comment
insect said:

As such, no customer information was impacted.

... To their knowledge. I suspect anyone to that point could have downloaded the data without Verizon's knowledge. A bot run on the site could have downloaded everyone's info in a matter of days (or less) just by running from 000-000-0000 through 999-999-9999.

From there, it's just a matter of parsing the CSV data (which wouldn't be too difficult given the standard template Verizon uses for everyone), data-basing it, and searching it.

captaincranky captaincranky, TechSpot Addict, said:

I don't believe it's as simple as "000-000-0000". All Verizon's billing info contains 2 additional sets of numbers, adding "-000-00X" as a suffix.

Although who knows if the 2 data streams require all characters. The billing stream does, I simply don't know about the mobile.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.