Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Verizon Wireless Personal Data Advisory

From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 11 Aug 2005 09:48:56 -0400
Jonathan A. Zdziarski
Nuclear Elephant
August 11, 2005

Description: East-Coast Verizon Wireless Customer Data at Risk

Synopsis:
Verizon Wireless customers in the east may have had limited personal information about their account viewed by other Verizon Wireless customers up until early August 11, 2005, when the problem was corrected by Verizon Wireless' Security Response Team.
The problem appears to have been localized to the systems containing information about Verizon Wireless customers in the east, or approximately one third of the customer base. Therefore, only customers living in the east were at risk for having any personal information leaked.
The problem was confirmed fixed on August 11 at 2AM EST by a Verizon Wireless Information Security Team member, and tested and confirmed fixed by Nuclear Elephant. 

About the Vulnerability:
A sanity check failed to exist in ebillpay's unbilled-usage modules to to correlate phone numbers with accounts. This could have been used by a malicious user to mine data through Verizon Wireless' website about other Verizon Wireless customers. The data available included statement activity such as current balance and last payment made, and usage information. It may have also been possible at one point to activate a handset on another customers' phone number (this, however, remained unconfirmed due to the entire activation tool being unavailable at the time the vulnerability was discovered; Verizon Wireless has not commented on whether this particular vulnerability existed). 


Contact Information:

Jonathan Zdziarski
jonathan () nuclearelephant com

Tom Pica
Verizon Wireless
Thomas.Pica () VerizonWireless com
908-306-4385

Original URL:

http://www.nuclearelephant.com/papers/verizon.html

Notes:
This advisory is in no way affiliated with Verizon Wireless and is informational only 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: