Vulnerabilities discovered by a security researcher in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.
UK-based scientist Daley Bee analyzed Verizon Wireless systems when he found a subdomain that the companies staff seemed to use for accessing inner point-of-sale instruments and for viewing data on customers. Further evaluation resulted to the finding of a URL to PDF agreements for Verizon Wireless clients using the monthly installation program of the company to pay for their appliances.
The specialist originally managed to access one agreement connected to a particular telephone number and contract number while authentication was required to access files after brute-forcing of URL GET parameters.
The investigator knew then that changing the value of one of these parameters would show a distinct agreement. This is called the vulnerability of an insecure direct object reference (IDOR) and it is usually simple to use.
The agreements exposed contained data such as complete name, address, telephone number, model and number of the device obtained and the signature of the customer.
“As usual, it’s the small & stupid things that are overlooked that lead to the biggest issue,” the researcher said in a blog post.
Daley Bee determined that there were about 2 million valid pairs between 1310000000 and 13119999 for the parameter impacted by the IDOR fault, each corresponding to the Verizon wireless client agreement.
In mid-June, the hacker revealed his results to Verizon and a patch was launched about a month later. The investigator informed that Verizon Wireless services are not covered by a bug bounty program — Verizon offers an email address that discloses vulnerabilities responsibly but does not pay off.
The investigator argues that Verizon has confirmed his results and that the vulnerability has exposed two million agreements.
UPDATE. Verizon provided SecurityWeek the following statement:
“We were made aware of this issue in June. When the issue was brought to our attention, our cyber security team worked quickly with our application team to resolve it.
We have no reason to believe that any customer information was accessed by anyone other than the security researcher who reported it.”
