Verizon Wireless Fixes Leaky Web Site
Verizon Wireless acknowledged today that a series of computer programming flaws may have exposed personal data on millions of subscribers. Verizon initially said it had no evidence any information was actually leaked as a result of the flaw, which it said could only be exploited by and against customers who had signed up to view their billing information online.
Jonathan Zdziarski, the security researcher who discovered the flaws, said he found the problem while writing a computer program that would automatically query his Verizon account online and report the number of minutes he had used from his wireless plan. He discovered that he could check another customer's bill and usage information just by entering their phone number into an area of the site that didn't properly verify user input.
Verizon fixed the initial problem early Thursday morning. But in the course of auditing its various customer billing sites company technicians found at least two other situations where programming flaws exposed customer data, including the make and model of phone the customer used and the customer general location.
But Verizon officials could not confirm Zdziarski's most potentially disturbing claim: He says similar flaws on the site could be used to map an existing customer's phone number to a handset controlled by an attacker. Such a flaw would allow the attacker to "clone" the phone number and thereby intercept any incoming calls or make outgoing calls that would later be billed to the legitimate subscriber's account. Zdziarski said he couldn't confirm it either, because he got nearly all the way through the process of mapping a friend's phone number to his phone when the system responded that the service that handled that function was temporarily not responding.
"But I'm more than 75 percent certain I could have done it had it been working," Zdziarski said.
All of this reminds me of the reporting I did recently on the Paris Hilton cell phone saga, where a bunch of kids used some pretty simple flaws in T-Mobile's Web site to break into the accounts of several celebrities.
Posted by: Real Deal | August 12, 2005 10:01 AM | Report abuse
Posted by: Dimitr | July 27, 2006 8:12 PM | Report abuse
The comments to this entry are closed.