Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Verizon’s Hum Website Found Leaking Credentials

Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.

Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.

Launched in August 2015, Hum is a Verizon product that allows users to add new technologies to their old cars, including vehicle diagnostics, roadside and emergency assistance, and stolen vehicle location features.

Independent security researcher Adam Caudill analyzed the Hum website and discovered that the source code of the “shopping” page included a username and the password “Weblogic12.” There were several domains listed in the code, but the expert noted that it wasn’t clear if an outside attacker could collect private data.

“There are a few things about this that really surprise me: 1) How did Verizon allow this to go live? 2) Why aren’t they doing any type of post-deployment testing? 3) Weblogic12 – Seriously? Is that really an acceptable password?,” Caudill said in a blog post.

The expert pointed to Verizon’s 2015 Data Breach Investigations Report (DBIR) which noted that the use of stolen and misused credentials continues to be the main method for accessing information, and two out of three breaches involve weak or stolen passwords.

Caudill said he attempted to report the issue to Verizon via Twitter and email, although the email addresses he used were not valid.

Verizon representatives told SecurityWeek that the vulnerability has been fixed and that customer information was not at risk.

“Verizon Telematics takes the security of our customers very seriously. The issue has been resolved, and we’re happy to report that no customer information was at risk,” Verizon said.

Advertisement. Scroll to continue reading.

Caudill has confirmed for SecurityWeek that the issue has been addressed. The expert believes the credentials were most likely included as debugging information and the developer forgot to remove them.

“This shows a lack of security controls – a developer shouldn’t be able to leak confidential information in such an obvious way, without it being noticed. It’s easy to say that you take security seriously, but it’s another to actually do it,” Caudill explained. “It took me approximately 30 seconds to notice the information being leaked – 30 seconds. With the vast resources of Verizon, you would think that they could have found someone with a basic understanding of security to spend 30 seconds looking at it.”

“Assuming that they are correct, that the API endpoints that are used to lookup customer records aren’t publicly available, then this should serve as a wakeup call that they need to revisit their security controls, because it could have been a disaster. They got lucky, this time,” the researcher added.

This was not the first time someone found vulnerabilities in Verizon software. In January, researcher Randy Westergren reported discovering a flaw that could have been leveraged by hackers to hijack the email accounts of Verizon customers by exploiting a vulnerability in the telecom giant’s fiber optic Internet, telephone and television service FiOS.

*Updated with statement from Caudill

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.