[BreachExchange] Vulnerabilities Exposed 2 Million Verizon Customer Contracts

[Destry Winant]

https://www.securityweek.com/vulnerabilities-exposed-2-million-verizon-customer-contracts

Vulnerabilities discovered by a security researcher in Verizon
Wireless systems could have been exploited by hackers to gain access
to 2 million customer contracts.

UK-based researcher Daley Bee was analyzing Verizon Wireless systems
when he came across a subdomain that appeared to be used by the
company’s employees to access internal point-of-sale tools and view
customer information. Further analysis led to the discovery of a URL
pointing to PDF format contracts for Verizon Wireless customers who
used the company’s monthly installment program to pay for their
devices.

While authentication was needed to access the files, the expert
initially managed to access one contract, linked to a specific phone
number and contract number, after brute-forcing the URL’s GET
parameters.

The researcher then realized that modifying the value of one of these
parameters would display a different contract. This is called an
insecure direct object reference (IDOR) vulnerability and they are
typically easy to exploit.

The exposed contracts contained information such as full name,
address, phone number, model and serial number of the acquired device,
and the customer’s signature.

“As usual, it’s the small & stupid things that are overlooked that
lead to the biggest issue,” the researcher said in a blog post.

Daley Bee determined that there were a total of roughly 2 million
valid combinations for the parameter affected by the IDOR flaw —
between 1310000000 and 1311999999 — and each corresponded to a Verizon
Wireless customer contract.

The hacker reported his findings to Verizon in mid-June and a patch
was rolled out roughly one month later. The researcher told
SecurityWeek that Verizon Wireless services are not covered by a bug
bounty program — Verizon provides an email address for responsibly
disclosing vulnerabilities but it does not offer rewards.

The researcher claims Verizon has verified his findings and confirmed
that the vulnerability exposed 2 million contracts.

SecurityWeek has reached out to Verizon for comment and will update
this article if the company responds.

UPDATE. Verizon provided SecurityWeek the following statement:

“We were made aware of this issue in June. When the issue was brought
to our attention, our cyber security team worked quickly with our
application team to resolve it.

We have no reason to believe that any customer information was
accessed by anyone other than the security researcher who reported
it.”