Verizon vulnerability made it painfully easy to access customer info
On the off chance you've experienced some sketchiness with your Verizon home internet account over the past few weeks, we might just know why now. As first reported by BuzzFeed, a vulnerability in Verizon's customer service systems meant that attackers could have duped their way into the accounts of any of the 9 million households that pay the telecom for internet access. And the worst part? The process was absolutely dead simple. Verizon, for what it's worth, said the issue (now fixed) came about because of a code error in a recent software update, and that they have "no reason to believe that any customers were impacted by this."
Now, here's how it worked.
Let's say you're a malcontent looking to screw with a particular Verizon customer. Your first step would've been to obtain that person's IP address. That's simple enough: As BuzzFeed points out, a quick peek at the headers of an email sent from a Verizon account would reveal its originating IP address. From there, a browser extension could be used to "spoof" Verizon's customer service website by masking your own IP address with the one you sniffed out from that email. Thing is, that Verizon site was built to recognize when someone with a Verizon IP address swings by, and erroneously displayed "things like your location, your name, your phone number, and your email address" without any additional prompting. Once those pieces were obtained, it would've been trivial for anyone to do a little social engineering, just as BuzzFeed's Joseph Bernstein did. After a call to Verizon's customer service line, he was able to talk a representative into resetting the password associated with a volunteer's Verizon account. Voilà: Almost completely painless access to someone else's service and billing information.
Fixed or not, the sheer simplicity of intrusion thanks to a botched software update is more than a little scary -- it's not uncommon for attackers to use breached accounts as a starting point from which they go after others. We're sure Verizon will quietly look into things and see if any innocent customers caught flak thanks to this multi-week oversight, but hey, you could always tell us about it first.
