BreachExchange mailing list archives
Verizon Privacy Vulnerability Discovered by Researcher, Took a Month to Patch
From: Lee J <lee () riskbasedsecurity com>
Date: Tue, 29 Oct 2013 12:54:38 +1100
http://www.androidorigin.com/verizon-privacy-vulnerability-discovered-by-researcher-took-a-month-to-patch/#ixzz2j4WBPV00 Whilst those who make a call to Verizon’s customer service may expect a long wait until someone starts paying attention, you’d be forgiven for thinking that this wouldn’t happen to a security researcher who’d discovered a vulnerability in Big Red’s website. Yet this is exactly what happened to PRVSEC, a researcher who discovered that a simple URL exploit could allow anyone to access user’s text history. As it turns out, swapping a subscriber’s phone number into a URL can reveal information about their messaging history such as date, time, sendee and message status. What’s more, Verizon allows customers to “Download to Spreadsheet”, neatly tabulating this data for a third party to analyse if they so wished. Whilst the contents of the messages weren’t stored in this way and couldn’t be accessed, it’s still obviously a fairly major security breach. Verizon PRVSEC informed Verizon way back in August about the security flaw, and tried in vain to get the issue patched. It took Verizon over a month from the initial report to completely solve the problem, and then another month to disclose the details to the public. Part of the problem here is that Verizon doesn’t have a direct point of contact for such issues – PRVSEC had to go through the usual consumer channels to get things fixed. In the end, the researcher could only bring attention to the bug through a LinkedIn contact, although VZW has now finally created a dedicated email contact for such concerns – CorporateSecurity () verizonwireless com. However, the company’s response time and lack of a dedicated system to deal with such breaches up until now should be of concern to subscribers who trust their details to them. A Verizon rep responded to a request for comment by Engadget by saying: “[We] take customer privacy very seriously, and we addressed this issue as soon as our security teams were made aware of it. Customer information was not impacted.” Well that’s good, then. What do you make of these breaches? Does this worry you? Let us know!
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Verizon Privacy Vulnerability Discovered by Researcher, Took a Month to Patch Lee J (Oct 31)