Verizon’s Hum Website Found Leaking Credentials

Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.

Launched in August 2015, Hum is a Verizon product that allows users to add new technologies to their old cars, including vehicle diagnostics, roadside and emergency assistance, and stolen vehicle location features.

Independent security researcher Adam Caudill analyzed the Hum website and discovered that the source code of the “shopping” page included a username and the password “Weblogic12.” There were several domains listed in the code, but the expert noted that it wasn’t clear if an outside attacker could collect private data.

“There are a few things about this that really surprise me: 1) How did Verizon allow this to go live? 2) Why aren’t they doing any type of post-deployment testing? 3) Weblogic12 – Seriously? Is that really an acceptable password?,” Caudill said in a blog post.

The expert pointed to Verizon’s 2015 Data Breach Investigations Report (DBIR) which noted that the use of stolen and misused credentials continues to be the main method for accessing information, and two out of three breaches involve weak or stolen passwords.

Caudill said he attempted to report the issue to Verizon via Twitter and email, although the email addresses he used were not valid.

Verizon representatives told SecurityWeek that the vulnerability has been fixed and that customer information was not at risk.

“Verizon Telematics takes the security of our customers very seriously. The issue has been resolved, and we’re happy to report that no customer information was at risk,” Verizon said.

Caudill has confirmed for SecurityWeek that the issue has been addressed. The expert believes the credentials were most likely included as debugging information and the developer forgot to remove them.

“This shows a lack of security controls – a developer shouldn’t be able to leak confidential information in such an obvious way, without it being noticed. It’s easy to say that you take security seriously, but it’s another to actually do it,” Caudill explained. “It took me approximately 30 seconds to notice the information being leaked – 30 seconds. With the vast resources of Verizon, you would think that they could have found someone with a basic understanding of security to spend 30 seconds looking at it.”

“Assuming that they are correct, that the API endpoints that are used to lookup customer records aren’t publicly available, then this should serve as a wakeup call that they need to revisit their security controls, because it could have been a disaster. They got lucky, this time,” the researcher added.

This was not the first time someone found vulnerabilities in Verizon software. In January, researcher Randy Westergren reported discovering a flaw that could have been leveraged by hackers to hijack the email accounts of Verizon customers by exploiting a vulnerability in the telecom giant’s fiber optic Internet, telephone and television service FiOS.

*Updated with statement from Caudill