Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.
UK-based researcher Daley Bee was analyzing Verizon Wireless systems when he came across a subdomain that appeared to be used by the company’s employees to access internal point-of-sale tools and view customer information. Further analysis led to the discovery of a URL pointing to PDF format contracts for Verizon Wireless customers who used the company’s monthly installment program to pay for their devices.
While authentication was needed to access the files, the expert initially managed to access one contract, linked to a specific phone number and contract number, after brute-forcing the URL’s GET parameters.
The researcher then realized that modifying the value of one of these parameters would display a different contract. This is called an insecure direct object reference (IDOR) vulnerability and they are typically easy to exploit.
The exposed contracts contained information such as full name, address, phone number, model and serial number of the acquired device, and the customer’s signature.
“As usual, it’s the small & stupid things that are overlooked that lead to the biggest issue,” the researcher said in a blog post.
Daley Bee determined that there were a total of roughly 2 million valid combinations for the parameter affected by the IDOR flaw — between 1310000000 and 1311999999 — and each corresponded to a Verizon Wireless customer contract.
The hacker reported his findings to Verizon in mid-June and a patch was rolled out roughly one month later. The researcher told SecurityWeek that Verizon Wireless services are not covered by a bug bounty program — Verizon provides an email address for responsibly disclosing vulnerabilities but it does not offer rewards.
The researcher claims Verizon has verified his findings and confirmed that the vulnerability exposed 2 million contracts.
SecurityWeek has reached out to Verizon for comment and will update this article if the company responds.
UPDATE. Verizon provided SecurityWeek the following statement:
“We were made aware of this issue in June. When the issue was brought to our attention, our cyber security team worked quickly with our application team to resolve it.
We have no reason to believe that any customer information was accessed by anyone other than the security researcher who reported it.”