Re: verizon wireless website gaping privacy holes

["Steve Shockley" <steve.shockley () shockley net>]

> > Note the p_session_id parameter.  This is the only session
> > identifier used.  They are assigned sequentially to each user as
> > they login, and are valid until the user logs out or the session
> > times out.  Obviously, this makes it trivial to access the sessions
> > of other users by guessing the session ID.  Automated tools to grab
> > this information in bulk as users login over time are also trivial.

Related vulnerability: if you pick a session ID below the current range, you
get a message "Unable to validate URL".  If you try one above the current
range, you get "Unable to find URL".  Naturally, this makes it trivial to
zero in on the current valid session ID range, even by hand.