Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Vulnerabilities Exposed 2 Million Verizon Customer Contracts

Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.

Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.

UK-based researcher Daley Bee was analyzing Verizon Wireless systems when he came across a subdomain that appeared to be used by the company’s employees to access internal point-of-sale tools and view customer information. Further analysis led to the discovery of a URL pointing to PDF format contracts for Verizon Wireless customers who used the company’s monthly installment program to pay for their devices.

While authentication was needed to access the files, the expert initially managed to access one contract, linked to a specific phone number and contract number, after brute-forcing the URL’s GET parameters.

The researcher then realized that modifying the value of one of these parameters would display a different contract. This is called an insecure direct object reference (IDOR) vulnerability and they are typically easy to exploit.

The exposed contracts contained information such as full name, address, phone number, model and serial number of the acquired device, and the customer’s signature.

Verizon exposed customer contracts

“As usual, it’s the small & stupid things that are overlooked that lead to the biggest issue,” the researcher said in a blog post.

Daley Bee determined that there were a total of roughly 2 million valid combinations for the parameter affected by the IDOR flaw — between 1310000000 and 1311999999 — and each corresponded to a Verizon Wireless customer contract.

The hacker reported his findings to Verizon in mid-June and a patch was rolled out roughly one month later. The researcher told SecurityWeek that Verizon Wireless services are not covered by a bug bounty program — Verizon provides an email address for responsibly disclosing vulnerabilities but it does not offer rewards.

Advertisement. Scroll to continue reading.

The researcher claims Verizon has verified his findings and confirmed that the vulnerability exposed 2 million contracts.

SecurityWeek has reached out to Verizon for comment and will update this article if the company responds.

UPDATE. Verizon provided SecurityWeek the following statement:

“We were made aware of this issue in June. When the issue was brought to our attention, our cyber security team worked quickly with our application team to resolve it.

We have no reason to believe that any customer information was accessed by anyone other than the security researcher who reported it.”

Related: Verizon Patches Vulnerabilities Affecting Millions of Routers

Related: Verizon Messages App Allowed XSS Attacks Over SMS

Related: Verizon’s Hum Website Found Leaking Credentials

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.