Verizon Privacy Vulnerability Discovered by Researcher, Took a Month to Patch

[Lee J <lee () riskbasedsecurity com>]

http://www.androidorigin.com/verizon-privacy-vulnerability-discovered-by-researcher-took-a-month-to-patch/#ixzz2j4WBPV00

Whilst those who make a call to Verizon’s customer service may expect a
long wait until someone starts paying attention, you’d be forgiven for
thinking that this wouldn’t happen to a security researcher who’d
discovered a vulnerability in Big Red’s website. Yet this is exactly what
happened to PRVSEC, a researcher who discovered that a simple URL exploit
could allow anyone to access user’s text history.
As it turns out, swapping a subscriber’s phone number into a URL can reveal
information about their messaging history such as date, time, sendee and
message status. What’s more, Verizon allows customers to “Download to
Spreadsheet”, neatly tabulating this data for a third party to analyse if
they so wished. Whilst the contents of the messages weren’t stored in this
way and couldn’t be accessed, it’s still obviously a fairly major security
breach.
Verizon
PRVSEC informed Verizon way back in August about the security flaw, and
tried in vain to get the issue patched. It took Verizon over a month from
the initial report to completely solve the problem, and then another month
to disclose the details to the public. Part of the problem here is that
Verizon doesn’t have a direct point of contact for such issues – PRVSEC had
to go through the usual consumer channels to get things fixed.
In the end, the researcher could only bring attention to the bug through a
LinkedIn contact, although VZW has now finally created a dedicated email
contact for such concerns – CorporateSecurity () verizonwireless com. However,
the company’s response time and lack of a dedicated system to deal with
such breaches up until now should be of concern to subscribers who trust
their details to them.
A Verizon rep responded to a request for comment by Engadget by saying:
“[We] take customer privacy very seriously, and we addressed this issue as
soon as our security teams were made aware of it. Customer information was
not impacted.” Well that’s good, then.
What do you make of these breaches? Does this worry you? Let us know!

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.