Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Vulnerabilities Exposed 2 Million Verizon Customer Contracts

Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.

Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.

UK-based researcher Daley Bee was analyzing Verizon Wireless systems when he came across a subdomain that appeared to be used by the company’s employees to access internal point-of-sale tools and view customer information. Further analysis led to the discovery of a URL pointing to PDF format contracts for Verizon Wireless customers who used the company’s monthly installment program to pay for their devices.

While authentication was needed to access the files, the expert initially managed to access one contract, linked to a specific phone number and contract number, after brute-forcing the URL’s GET parameters.

The researcher then realized that modifying the value of one of these parameters would display a different contract. This is called an insecure direct object reference (IDOR) vulnerability and they are typically easy to exploit.

The exposed contracts contained information such as full name, address, phone number, model and serial number of the acquired device, and the customer’s signature.

Verizon exposed customer contracts

“As usual, it’s the small & stupid things that are overlooked that lead to the biggest issue,” the researcher said in a blog post.

Daley Bee determined that there were a total of roughly 2 million valid combinations for the parameter affected by the IDOR flaw — between 1310000000 and 1311999999 — and each corresponded to a Verizon Wireless customer contract.

The hacker reported his findings to Verizon in mid-June and a patch was rolled out roughly one month later. The researcher told SecurityWeek that Verizon Wireless services are not covered by a bug bounty program — Verizon provides an email address for responsibly disclosing vulnerabilities but it does not offer rewards.

The researcher claims Verizon has verified his findings and confirmed that the vulnerability exposed 2 million contracts.

SecurityWeek has reached out to Verizon for comment and will update this article if the company responds.

UPDATE. Verizon provided SecurityWeek the following statement:

“We were made aware of this issue in June. When the issue was brought to our attention, our cyber security team worked quickly with our application team to resolve it.

We have no reason to believe that any customer information was accessed by anyone other than the security researcher who reported it.”

Related: Verizon Patches Vulnerabilities Affecting Millions of Routers

Related: Verizon Messages App Allowed XSS Attacks Over SMS

Related: Verizon’s Hum Website Found Leaking Credentials

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.