A recent report from security researcher Prvsec suggests a simple URL hack may have exposed the texting data of tens of millions of Verizon customers. The vulnerability was fixed last month after the security researcher privately disclosed it to the carrier but the glaring oversight is no doubt embarrassing for the nation’s largest wireless provider.
The hack involved Verizon’s “download to spreadsheet” function on their website which lets customers download a CSV file of the date, time and the recipient of texts send and received. The URL to download the CSV file contained the user’s phone number and when that number was changed, it would let a user download a report for the associated URL number. Oops.
In an interview with The Verge, the researcher said he disclosed the hack in a responsible way with no ill intent. What’s more, he made sure that it did not become public until after Verizon had a chance to patch it. The researcher said he was a Verizon customer himself so he wouldn’t want his own data exposed in such a manner.
The researcher did criticize Verizon’s reporting process, however. It was reportedly an intricate and lengthy ordeal just to get in touch with the security team and once the bug had been reported, the status of the fix wasn’t updated for months. It should be easier to reach out, otherwise serious vulnerabilities like this could simply go unreported as researchers wouldn’t want to deal with the hassle of dealing with the process.
Verizon confirmed the report and said they addressed it as soon as it was brought to the attention of the security team. As such, no customer information was impacted.