Latest in Hack

Image credit:

Verizon left security researcher hanging while reported URL hack revealed subscribers' texting history (updated)

10 Shares
Share
Tweet
Share
Save

Sponsored Links

Long wait times and a complete lack of transparency -- no, this isn't a story about a typical call to Verizon customer support. It's what happened when a security researcher discovered a critical privacy vulnerability on Verizon's consumer site and tried, nearly in vain, to get it patched. Back in August, researcher PRVSEC found that a simple URL exploit could allow any subscriber using the site's 'Download to SpreadSheet' function to access any other user's texting history. The hack required nothing more than swapping a subscriber's cell number into the code to view information like date, time, sendee and message status -- actual contents of the SMS or MMS sent could not be accessed.

It took Verizon more than a month from the time PRVSEC submitted the initial report to bring the case to a complete resolution and close the exploit, and an additional month to make the issue public. That the issue was even addressed in the first place is somewhat of a personal victory for PRVSEC, as Verizon's site doesn't offer any direct contact info to report vulnerabilities. PRVSEC was only able to bring the URL exploit to Verizon's attention though a LinkedIn contact. Verizon has since created a dedicated email contact, CorporateSecurity@verizonwireless.com, to field these security issues, but the company's overall slow response time, inaccessibility and lack of transparency should give its subscribers cause for concern. We've reached out to Verizon for comment on the matter and will update should we hear back.

Update: A Verizon rep responded to our request for comment saying, "[We] take customer privacy very seriously, and we addressed this issue as soon as our security teams were made aware of it. Customer information was not impacted. "

Verizon owns Engadget's parent company, Verizon Media. Rest assured, Verizon has no control over our coverage. Engadget remains editorially independent.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
10 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
24 hours with Huawei’s Mate 30 Pro: Incredible cameras, gloomy future

24 hours with Huawei’s Mate 30 Pro: Incredible cameras, gloomy future

View
YouTube Music counters Spotify with its own 'Discover Mix'

YouTube Music counters Spotify with its own 'Discover Mix'

View
First 'Borderlands 3' event is the Halloween-themed Bloody Harvest

First 'Borderlands 3' event is the Halloween-themed Bloody Harvest

View
Tech industry sets official standard for 8K TVs

Tech industry sets official standard for 8K TVs

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr