Language Selection

English French German Italian Portuguese Spanish

Glitch on Verizon Wireless Web Site Left Data at Risk

Filed under

Verizon Wireless said yesterday that computer programming flaws in its online billing system could have allowed customers to view account information belonging to other customers, possibly exposing limited personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between Verizon Communications Inc. and Vodafone Group PLC, declined to say how many of the company's 45 million subscriber accounts were at risk. Verizon Wireless said the problem appeared to be limited to accounts for customers in the eastern United States who had signed up for its "My Account" feature.

There was no indication that anyone took advantage of the flaws or that any customer financial information, such as Social Security or credit card account numbers, was disclosed, Verizon Wireless spokesman Tom Pica said. The flaws also did not allow access to phone numbers associated with customers' incoming and outgoing calls, and "no customer data could be manipulated and changed in any way," Pica said.

Verizon Wireless said it had corrected the problem as of 2 a.m. yesterday. Pica said the company was still assessing whether it would notify customers about the situation.

The "My Account" feature has been available on the Verizon Wireless Web site for five years. Pica said the company does not yet know how long the flawed coding had been in place.

Pica confirmed the Web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle. Two other flaws could have exposed data about a customer's general location -- city and state -- and the make and model of phone the customer uses, Pica said.

The flaw that exposed account information was reported to Verizon Wireless by Jonathan Zdziarski, a software developer from Milledgeville, Ga., who said he discovered it while writing a computer program that would automatically query his account online and report the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless phone number on a particular portion of the site, he could pull up some information about that person's account.
Pica said the flaws did not expose customer account balances or latest payment information. But Zdziarski provided with a screenshot showing that the vulnerabilities exposed account balances and the date of the most recent payment, a claim that Pica said the company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other portions of the company's billing system and fixed one flaw but disabled the feature that allowed viewing of customer location until technicians could figure out a way to secure it, according to Pica.
Zdziarski said he later conducted other tests and found that the problem he discovered also could be exploited to transfer one customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming wireless calls and make calls that would be billed to the victim's account. Zdziarski said he was prevented from fully testing whether the flaw could be used to clone Verizon Wireless phones because the service that allows customers to map existing phone numbers to new handsets appeared to be offline when he reported the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've discovered it, then certainly your typical 'script kiddie' could figure it out."

Pica said company technicians were unable to reproduce the phone-cloning scenario described by Zdziarski.

One of Verizon Wireless's competitors, Bellevue, Wash.-based T-Mobile International, disclosed in January that a security hole in its Web site exposed data on at least 400 customers, including a Secret Service agent. This year, a group of hackers used other flaws in T-Mobile's site to break into the phones of dozens of celebrities in an incident that exposed racy photographs and personal notes and contacts for hotel heiress and socialite Paris Hilton.

By Brian Krebs
The Washington Post

More in Tux Machines

Leftovers: OSS and Sharing

  • Google’s Open Source Report Card Highlights Game-Changing Contributions
    Ask people about Google’s relationship to open source, and many of them will point to Android and Chrome OS — both very successful operating systems and both based on Linux. Android, in particular, remains one of the biggest home runs in open source history. But, as Josh Simmons from Google’s Open Source Programs Office will tell you, Google also contributes a slew of useful open source tools and programs to the community each year. Now, Google has issued its very first “Open Source Report Card,” as announced by Simmons on the Google Open Source Blog. "We're sharing our first Open Source Report Card, highlighting our most popular projects, sharing a few statistics and detailing some of the projects we've released in 2016. We've open sourced over 20 million lines of code to date and you can find a listing of some of our best known project releases on our website," said Simmons.
  • Nino Vranešič: Open Source Advocate and Mozilla Rep in Slovenia
    “My name is Nino Vranešič and I am connecting IT and Society,” is what Nino says about himself on LinkedIn. The video is a little hard to understand in places due to language differences and (we think) a slow or low-bandwidth connection between the U.S.-based Zoom servers and Eastern Europe, a problem that crops up now and then in video conversation and VOIP phone calls with people in that part of the world, no matter what service you choose. But Vranešič is worth a little extra effort to hear, because it’s great to learn that open source is being used in lots of government agencies, not only in Slovenia but all over Europe. And aside from this, Vranešič himself is a tres cool dude who is an ardent open source volunteer (“Mozilla Rep” is an unpaid volunteer position), and I hope I have a chance to meet him F2F next time he comes to a conference in Florida — and maybe you’ll have a chance to meet him if he comes to a conference near you.
  • MySQL and database programming for beginners
    Dave Stokes has been using MySQL for more than 15 years and has served as its community manager since 2010. At All Things Open this year, he'll give a talk about database programming for newbies with MySQL. In this interview, he previews his talk and shares a few helpful resources, required skills, and common problems MySQL beginners run into.
  • Nadella's trust talk is just so much hot air
    Microsoft chief executive Satya Nadella appears to have an incredibly short memory. Else he would be the last person who talks about trust being the most pressing issue in tech in our times. Over the last year, we have been treated to a variety of cheap tricks by Microsoft, attempting to hoodwink Windows users left, right and centre in order to get them to upgrade to Windows 10. After that, talking about trust sounds odd. Very odd. Microsoft does not have the best reputation among tech companies. It is known for predatory practices, for being convicted as a monopolist, and in recent times has been trying to cultivate a softer image as a company that is not as rapacious as it once was. That has, in large measure, come about as its influence and rank in the world of computing have both slipped, with other companies like Apple, Facebook and Google coming to dominate.
  • If you wish, you may rebuild all dports to use non-base SSL library of your choice
  • DragonFlyBSD Continues LibreSSL Push, OpenSSL To Be Dropped
    DragonFlyBSD is now defaulting to LibreSSL throughout its operating system stack and is planning to completely remove OpenSSL in the near future. Last month DragonFlyBSD began using LibreSSL by default while that effort has continued. OpenSSL is no longer being built by default and in about one month's time the OpenSSL support will be completely stripped from the DragonFly tree.
  • Ranking the Web With Radical Transparency
    Ranking every URL on the web in a transparent and reproducible way is a core concept of the Common Search project, says Sylvain Zimmer, who will be speaking at the upcoming Apache: Big Data Europe conference in Seville, Spain. The web has become a critical resource for humanity, and search engines are its arbiters, Zimmer says. However, the only search engines currently available are for-profit entities, so the Common Search project is creating a nonprofit engine that is open, transparent, and independent. We spoke with Zimmer, who founded Jamendo, dotConferences, and Common Search, to learn more about why nonprofit search engines are important, why Apache Spark is such a great match for the job, and some of the challenges the project faces.
  • A look inside the 'blinky flashy' world of wearables and open hardware
    While looking at the this year's All Things Open event schedule, a talk on wearables and open hardware caught my eye: The world of the blinky flashy. Naturally, I dug deeper to learn what it was all about.
  • Why Perl is not use for new development , most of time use for maintenance and support projects ?
    There has been a tendency amongst some companies to play a “wait and see” attitude towards Perl, but the Perl market appears to have stabilized in the past couple of years and more companies appear to be returning to Perl. As one of our clients explained to me when I asked why they chose Perl “We’re tired of being bitten by hype.”

And More Security Leftovers

  • The NyaDrop Trojan for Linux-running IoT Devices
  • Flaw resides in BTB helps bypass ASLR
  • Thoughts on the BTB Paper
    Though the attack might have some merits with regards to KASLR, the attack on ASLR is completely debunked. The authors of the paper didn't release any supporting code or steps for independent analysis and verification. The results, therefore, cannot be trusted until the authors fully open source their work and the work is validated by trusted and independent third parties.
  • Spreading the DDoS Disease and Selling the Cure
    Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

Blockchain and FOSS

Ubuntu Leftovers

  • Celebrating 12 years of Ubuntu
    Founder Mark Shuttleworth announced the first public release of Ubuntu – version 4.10, or “Warty Warthog” – on Oct. 20, 2004. The idea behind what would become the most recognizable and widely used Linux distributions ever was simple – create a Linux operating system that anybody could use. Here’s a look back at Ubuntu’s history.
  • Happy 12th Birthday, Ubuntu!
    Yup, it’s twelve years to the day since Mark Shuttleworth sat down to tap out the first Ubuntu release announcement and herald in an era of “Linux for human beings”.
  • A Slice of Ubuntu
    The de facto standard for Raspberry Pi operating systems is Raspbian–a Debian based distribution specifically for the diminutive computer. Of course, you have multiple choices and there might not be one best choice for every situation. It did catch our eye, however, that the RaspEX project released a workable Ubunutu 16.10 release for the Raspberry Pi 2 and 3. RaspEX is a full Linux Desktop system with LXDE (a lightweight desktop environment) and many other useful programs. Firefox, Samba, and VNC4Server are present. You can use the Ubuntu repositories to install anything else you want. The system uses kernel 4.4.21. You can see a review of a much older version of RaspEX in the video below.
  • Download Ubuntu Yakkety Yak 16.10 wallpaper
    The Yakkety Yak 16.10 is released and now you can download the new wallpaper by clicking here. It’s the latest part of the set for the Ubuntu 2016 releases following Xenial Xerus. You can read about our wallpaper visual design process here.
  • Live kernel patching from Canonical now available for Ubuntu 16.04 LTS
    We are delighted to announce the availability of a new service for Ubuntu which any user can enable on their current installations – the Canonical Livepatch Service. This new live kernel patching service can be used on any Ubuntu 16.04 LTS system (using the generic Linux 4.4 kernel) to minimise unplanned downtime and maintain the highest levels of security.
  • How to enable free 'Canonical Livepatch Service' for Linux kernel live-patching on Ubuntu
    Linux 4.0 introduced a wonderful feature for those that need insane up-time -- the ability to patch the kernel without rebooting the machine. While this is vital for servers, it can be beneficial to workstation users too. Believe it or not, some home users covet long up-time simply for fun -- bragging rights, and such. If you are an Ubuntu 16.04 LTS user (with generic Linux kernel 4.4) and you want to take advantage of this exciting feature, I have good news -- it is now conveniently available for free! Unfortunately, this all-new Canonical Livepatch Service does have a catch -- it is limited to three machines per user. Of course, home users can register as many email addresses as they want, so it is easy to get more if needed. Businesses can pay for additional machines through Ubuntu Advantage. Want to give it a go? Read on. "Since the release of the Linux 4.0 kernel about 18 months ago, users have been able to patch and update their kernel packages without rebooting. However, until now, no other Linux distribution has offered this feature for free to their users. That changes today with the release of the Canonical Livepatch Service", says Tom Callway, Director of Cloud Marketing, Canonical.
  • KernelCare Is Another Alternative To Canonical's Ubuntu Live Kernel Patching
    Earlier this week Canonical announced their Kernel Livepatching Service for Ubuntu 16.04 LTS users. Canonical's service is free for under three systems while another alternative for Ubuntu Linux users interested in a commercial service is CloudLinux's KernelCare. The folks from CloudLinux wrote in to remind us of their kernel patching solution, which they've been offering since 2014 and believe is a superior solution to Canonical's service. KernelCare isn't limited to just Ubuntu 16.04 but also works with Ubuntu 14.04 and other distributions such as CentOS/RHEL, Debian, and other enterprise Linux distributions.