Network News

X My Profile
View More Activity

Verizon Wireless Fixes Leaky Web Site

Verizon Wireless acknowledged today that a series of computer programming flaws may have exposed personal data on millions of subscribers. Verizon initially said it had no evidence any information was actually leaked as a result of the flaw, which it said could only be exploited by and against customers who had signed up to view their billing information online.

Jonathan Zdziarski, the security researcher who discovered the flaws, said he found the problem while writing a computer program that would automatically query his Verizon account online and report the number of minutes he had used from his wireless plan. He discovered that he could check another customer's bill and usage information just by entering their phone number into an area of the site that didn't properly verify user input.

Verizon fixed the initial problem early Thursday morning. But in the course of auditing its various customer billing sites company technicians found at least two other situations where programming flaws exposed customer data, including the make and model of phone the customer used and the customer general location.

But Verizon officials could not confirm Zdziarski's most potentially disturbing claim: He says similar flaws on the site could be used to map an existing customer's phone number to a handset controlled by an attacker. Such a flaw would allow the attacker to "clone" the phone number and thereby intercept any incoming calls or make outgoing calls that would later be billed to the legitimate subscriber's account. Zdziarski said he couldn't confirm it either, because he got nearly all the way through the process of mapping a friend's phone number to his phone when the system responded that the service that handled that function was temporarily not responding.

"But I'm more than 75 percent certain I could have done it had it been working," Zdziarski said.

All of this reminds me of the reporting I did recently on the Paris Hilton cell phone saga, where a bunch of  kids used some pretty simple flaws in T-Mobile's Web site to break into the accounts of several celebrities.

By Brian Krebs  |  August 11, 2005; 4:23 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: The FBI on Cyber Crime
Next: Patch Now or Else


This guy is 75% full of s41t!! and 25% full of himself.

There is no way to map a number to another handset without a physical ESN change.

Posted by: Real Deal | August 12, 2005 10:01 AM | Report abuse

away and no new traffic should be forwarded hot babes in bikini hould generate a removal query. [url=]hot babes in bikini[/url]

Posted by: Dimitr | July 27, 2006 8:12 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company