Connect with us

Hi, what are you looking for?



Verizon’s Hum Website Found Leaking Credentials

Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.

Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.

Launched in August 2015, Hum is a Verizon product that allows users to add new technologies to their old cars, including vehicle diagnostics, roadside and emergency assistance, and stolen vehicle location features.

Independent security researcher Adam Caudill analyzed the Hum website and discovered that the source code of the “shopping” page included a username and the password “Weblogic12.” There were several domains listed in the code, but the expert noted that it wasn’t clear if an outside attacker could collect private data.

“There are a few things about this that really surprise me: 1) How did Verizon allow this to go live? 2) Why aren’t they doing any type of post-deployment testing? 3) Weblogic12 – Seriously? Is that really an acceptable password?,” Caudill said in a blog post.

The expert pointed to Verizon’s 2015 Data Breach Investigations Report (DBIR) which noted that the use of stolen and misused credentials continues to be the main method for accessing information, and two out of three breaches involve weak or stolen passwords.

Caudill said he attempted to report the issue to Verizon via Twitter and email, although the email addresses he used were not valid.

Verizon representatives told SecurityWeek that the vulnerability has been fixed and that customer information was not at risk.

Advertisement. Scroll to continue reading.

“Verizon Telematics takes the security of our customers very seriously. The issue has been resolved, and we’re happy to report that no customer information was at risk,” Verizon said.

Caudill has confirmed for SecurityWeek that the issue has been addressed. The expert believes the credentials were most likely included as debugging information and the developer forgot to remove them.

“This shows a lack of security controls – a developer shouldn’t be able to leak confidential information in such an obvious way, without it being noticed. It’s easy to say that you take security seriously, but it’s another to actually do it,” Caudill explained. “It took me approximately 30 seconds to notice the information being leaked – 30 seconds. With the vast resources of Verizon, you would think that they could have found someone with a basic understanding of security to spend 30 seconds looking at it.”

“Assuming that they are correct, that the API endpoints that are used to lookup customer records aren’t publicly available, then this should serve as a wakeup call that they need to revisit their security controls, because it could have been a disaster. They got lucky, this time,” the researcher added.

This was not the first time someone found vulnerabilities in Verizon software. In January, researcher Randy Westergren reported discovering a flaw that could have been leveraged by hackers to hijack the email accounts of Verizon customers by exploiting a vulnerability in the telecom giant’s fiber optic Internet, telephone and television service FiOS.

*Updated with statement from Caudill

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.