Verizon vulnerability made it painfully easy to access customer info

Sponsored Links

Verizon vulnerability made it painfully easy to access customer info

On the off chance you've experienced some sketchiness with your Verizon home internet account over the past few weeks, we might just know why now. As first reported by BuzzFeed, a vulnerability in Verizon's customer service systems meant that attackers could have duped their way into the accounts of any of the 9 million households that pay the telecom for internet access. And the worst part? The process was absolutely dead simple. Verizon, for what it's worth, said the issue (now fixed) came about because of a code error in a recent software update, and that they have "no reason to believe that any customers were impacted by this."

Now, here's how it worked.

Let's say you're a malcontent looking to screw with a particular Verizon customer. Your first step would've been to obtain that person's IP address. That's simple enough: As BuzzFeed points out, a quick peek at the headers of an email sent from a Verizon account would reveal its originating IP address. From there, a browser extension could be used to "spoof" Verizon's customer service website by masking your own IP address with the one you sniffed out from that email. Thing is, that Verizon site was built to recognize when someone with a Verizon IP address swings by, and erroneously displayed "things like your location, your name, your phone number, and your email address" without any additional prompting. Once those pieces were obtained, it would've been trivial for anyone to do a little social engineering, just as BuzzFeed's Joseph Bernstein did. After a call to Verizon's customer service line, he was able to talk a representative into resetting the password associated with a volunteer's Verizon account. Voilà: Almost completely painless access to someone else's service and billing information.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Fixed or not, the sheer simplicity of intrusion thanks to a botched software update is more than a little scary -- it's not uncommon for attackers to use breached accounts as a starting point from which they go after others. We're sure Verizon will quietly look into things and see if any innocent customers caught flak thanks to this multi-week oversight, but hey, you could always tell us about it first.

Engadget was owned by Verizon between June 2015 and September 2021. Engadget's parent company is now Yahoo Inc.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Verizon vulnerability made it painfully easy to access customer info