Latest in Fail

Image credit:

Verizon vulnerability made it painfully easy to access customer info

72 Shares
Share
Tweet
Share

Sponsored Links

On the off chance you've experienced some sketchiness with your Verizon home internet account over the past few weeks, we might just know why now. As first reported by BuzzFeed, a vulnerability in Verizon's customer service systems meant that attackers could have duped their way into the accounts of any of the 9 million households that pay the telecom for internet access. And the worst part? The process was absolutely dead simple. Verizon, for what it's worth, said the issue (now fixed) came about because of a code error in a recent software update, and that they have "no reason to believe that any customers were impacted by this."

Now, here's how it worked.

Let's say you're a malcontent looking to screw with a particular Verizon customer. Your first step would've been to obtain that person's IP address. That's simple enough: As BuzzFeed points out, a quick peek at the headers of an email sent from a Verizon account would reveal its originating IP address. From there, a browser extension could be used to "spoof" Verizon's customer service website by masking your own IP address with the one you sniffed out from that email. Thing is, that Verizon site was built to recognize when someone with a Verizon IP address swings by, and erroneously displayed "things like your location, your name, your phone number, and your email address" without any additional prompting. Once those pieces were obtained, it would've been trivial for anyone to do a little social engineering, just as BuzzFeed's Joseph Bernstein did. After a call to Verizon's customer service line, he was able to talk a representative into resetting the password associated with a volunteer's Verizon account. Voilà: Almost completely painless access to someone else's service and billing information.

Fixed or not, the sheer simplicity of intrusion thanks to a botched software update is more than a little scary -- it's not uncommon for attackers to use breached accounts as a starting point from which they go after others. We're sure Verizon will quietly look into things and see if any innocent customers caught flak thanks to this multi-week oversight, but hey, you could always tell us about it first.

Verizon owns Engadget's parent company, Verizon Media. Rest assured, Verizon has no control over our coverage. Engadget remains editorially independent.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
72 Shares
Share
Tweet
Share

Popular on Engadget

Adidas readies an entire collection of Star Wars basketball shoes

Adidas readies an entire collection of Star Wars basketball shoes

View
Mercedes app was leaking car owners' data to other users

Mercedes app was leaking car owners' data to other users

View
AT&T hikes TV Now prices by as much as $15 per month

AT&T hikes TV Now prices by as much as $15 per month

View
Samsung won't support Linux on DeX once Android 10 arrives

Samsung won't support Linux on DeX once Android 10 arrives

View
Recommended Reading: The Google Stadia controller prototypes

Recommended Reading: The Google Stadia controller prototypes

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr