Slashdot Mirror

← Back to Stories (view on slashdot.org)

Simple Bug Exposed Verizon Users' SMS Histories

Posted by Soulskill on from the nsa-never-needed-to-ask dept.

Trailrunner7 writes "A security researcher discovered a simple vulnerability in Verizon Wireless's Web-based customer portal that enabled anyone who knows a subscriber's phone number to download that user's SMS message history, including the numbers of the people he communicated with. The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn't want others to have access to his account information. 'I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn't want my account information to exposed in such way,' Collier said via email."

18 of 60 comments (clear)

  1. Hasn't been sued yet? by michelcolman · · Score: 5, Interesting

    Most of the time, when somebody discloses a vulnerability like that in a responsible way, the result is a bunch of angry letters from lawyers accusing the reporter of hacking into the system, demanding damages to be paid, etcetera.

    Apparently that didn't happen in this case, so this really is a news story!

    1. Re:Hasn't been sued yet? by Anonymous Coward · · Score: 5, Funny

      The news is that the NSA complained that Verizon SMS went dark...

    2. Re:Hasn't been sued yet? by Joining+Yet+Again · · Score: 2

      The statement made by the OP was "most of the time".

      I can pull up hundreds of articles on murders, but "most people" aren't murdered.

      This is like critical analysis 101.

    3. Re:Hasn't been sued yet? by morgauxo · · Score: 2

      More likely it will just get forgotten and ignored. You can't keep the people interested in what their government is doing unless it has a direct and obvious effect on their bank accounts. Even then.. it can be difficult.

  2. How can it be? by scsirob · · Score: 4, Interesting

    How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online? If I were any more cynical I'd suspect they are sloppy on purpose so they do not have to be bothered by our friends of the NSA. "It's self-service, fetch whatever you need!"

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
    1. Re:How can it be? by Rosco+P.+Coltrane · · Score: 4

      How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online?

      Because you think the size of an organization or the level of sensitivity of the data it handles are a guarantee of professionalism? How quaint.

      Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ. That's if they don't outsource their services god knows where, where they have no visibility on who does what and how. If you think your data is safe with big concerns, you're deluding yourself.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:How can it be? by Anonymous Coward · · Score: 2, Insightful

      Users don't care about security. Everybody uses Whatsapp, that pile of shit with more holes than Swiss cheese. Functionality is more important than security. Time-to-market is more important than security. You can tell people that every call they make is recorded, every SMS datamined, every location tracked. They do not care, because it never hurts them. The privacy apocalypse just doesn't happen. If more than a very small number of people are ever negatively affected by a privacy breach, then the laws will be changed and remedies will be found. It simply does not pay to do it right. Most software never leaves prototype stadium. If it works, ship it. You know the saying: "There's never time to do it right, but there's always time to do it over."

    3. Re:How can it be? by Thanshin · · Score: 2

      Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ.

      At first I was scared of being one of the hacks. Then I was scared I might be the one competent employee. Then I understood that was just an estimation and that the real ratio in a specific corporation could be +-1/100.

    4. Re:How can it be? by Joining+Yet+Again · · Score: 5, Insightful

      Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ.

      And you know what the worst thing is? Everybody thinks they're the 1 competent employee.

    5. Re:How can it be? by l3v1 · · Score: 4, Insightful

      "Functionality is more important than security."

      For average users, quite true. Non-average users, or ones that really want to keep their communications secret, also know that, and they don't use those services. That's why it makes so many people angry that the communications of masses of people are watched, probably 99.999% of the time totally unnecessarily. of course, there's the good old catch-22 as well, since if they wouldn't watch the common channels, criminals wouldn't need to find better ways to communicate. So, as always, the majority of innocent people get hassled for the hope that the lives of the few criminals become harder. Well, a false hope (you all know Newton's 3rd law, right?), but still a hope.

      --
      I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
    6. Re:How can it be? by VortexCortex · · Score: 2

      Not me! I'm one of the hacks! I don't know how to fix computers, and I'm also alergic to WIFI so I have to work from home, and can only use a smartphone during business hours -- Doctor's orders.

      That's my story, and I'm sticking to it!

  3. What allows them to store your entire SMS history? by flowerp · · Score: 2

    The customer pays Verizon to offer a communication service, not a data retention and wiretap service. Thanks.

    --
    --- Eat my sig.
  4. Re:What allows them to store your entire SMS histo by Anonymous Coward · · Score: 4, Funny

    They tried advertising it as a data retention and wiretap service, but it didn't do so well in focus groups.

  5. Title sounds like a web ad by Dave+Emami · · Score: 5, Funny

    "Learn about this one weird bug that Verizon doesn't want you to know!"

    --

    "The Greens lynched a hacker in Chicago. Last month, but I think the body's still hanging from the old Water Tower."
  6. Not a bug, but a feature by transporter_ii · · Score: 2

    Not a bug, but a feature. It was added to make it easier for the NSA to put all of its "metadata" to easy use.

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  7. Like pounding 0 on a help line by Impy+the+Impiuos+Imp · · Score: 2

    By far the fastest way to talk with a real person on Verizon's phone site is to start liiking at phone models. A little box will appear asking of you want to talk to a sales representative. Click yes and they can then help you for other stuff, or at least know what to do.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  8. LERT out of business? by Yebyen · · Score: 3, Interesting

    When I called Verizon customer service to see if they could send me a log of my text messages, I was informed it would cost me $50 and a letter from my lawyer to their Law Enforcement Response Team (LERT). I am glad to see that just anyone could get that information without any lawyer, $50, or even proving who they are.

    Is this facility still available for paying customers of Verizon Wireless, to view their own text message history without the need for a team of lawyers?

    I've just tried it on my account, it looks like it is available to the person who is paying my bill but not to myself (the Account Member gets basically no special privileges other than using the phone and viewing aggregate usage statistics to avoid going over the account limits.)

    It would have been nice if Verizon had advised me of this service, rather than stonewalling me and telling me to get a lawyer

    --
    Restating the obvious since nineteen aught five.
  9. Compare to Weev case by SpaceLifeForm · · Score: 2

    Both involved access via web where the web app failed to do proper validation. Apparently Verizon actually handled this well.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.