Verizon Fixes Texting Bug

Thursday, October 24, 2013 @ 05:10 PM gHale

A simple URL hack was able to produce texting data for tens of millions of Verizon customers, according to a new report.

Verizon fixed the vulnerability in September, one month after security researcher Prvsec privately disclosed it to the carrier. Before Verizon addressed the issue, it allowed attackers to see who users texted and when, provided they had a subscriber-level login to the carrier’s website.

Securing Wireless in a Heartbeat
Grant to Boost Wireless Security
Wireless Field Sensors Vulnerable
U.S. Grid ‘Highly Vulnerable’

The vulnerability was the result of the Verizon website’s “download to spreadsheet” function, which allows subscribers to download a CSV file of the time, date, and recipient of their recent texts.

Unfortunately, the URL for that download contained the subscriber’s phone number, and simply changing the phone number in the URL would let a user download that number’s spreadsheet. As recently as August, there were no safeguards to ensure the person downloading the spreadsheet owned that number, potentially exposing tens of millions of Verizon customers’ contact lists and texting habits.

Prvsec researchers emphasized they disclosed the vulnerability responsibly, with no ill intent, and made sure it did not become public before the carrier had a chance to fix it.

“I’m a Verizon customer myself,” the researcher said, “so I wouldn’t want my own data exposed this way.”

A Verizon spokesperson confirmed the Prvsec report.

“Verizon takes customer privacy seriously,” the spokesperson said. “As soon as this was brought to the attention of our security teams, we addressed it, and no customer information was impacted.”

Leave a Reply

You must be logged in to post a comment.