Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Simple Bug Exposed Verizon Users' SMS Histories

Soulskill posted 1 year,1 day | from the nsa-never-needed-to-ask dept.

Verizon 60

Trailrunner7 writes "A security researcher discovered a simple vulnerability in Verizon Wireless's Web-based customer portal that enabled anyone who knows a subscriber's phone number to download that user's SMS message history, including the numbers of the people he communicated with. The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn't want others to have access to his account information. 'I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn't want my account information to exposed in such way,' Collier said via email."

Sorry! There are no comments related to the filter you selected.

Hasn't been sued yet? (5, Interesting)

michelcolman (1208008) | 1 year,1 day | (#45198567)

Most of the time, when somebody discloses a vulnerability like that in a responsible way, the result is a bunch of angry letters from lawyers accusing the reporter of hacking into the system, demanding damages to be paid, etcetera.

Apparently that didn't happen in this case, so this really is a news story!

Re:Hasn't been sued yet? (5, Funny)

Anonymous Coward | 1 year,1 day | (#45198583)

The news is that the NSA complained that Verizon SMS went dark...

Re:Hasn't been sued yet? (1, Redundant)

cyberjock1980 (1131059) | 1 year,21 hours | (#45199191)

This may be labeled as funny, but I saw this article just a few minutes before it popped up on Slashdot, and I thought the exact same thing.

The truth is we really don't know how long this problem has existed for, nobody knows if this was an accident or an "accident", and there's no telling who may have used this and to what depth. The NSA could have used this to scrape the SMS messages of every Verizon customer for weeks, months, or years.

Considering all the stuff about the NSA going around, I really don't consider it that unlikely to have been used by the NSA. They're so busy undermining all of our liberties(even people ourside our borders) that I'm just not surprised by it anymore.

I really wonder if this whole NSA thing is going to cause a small revolution in IT leading to more secure systems not to keep out would-be hackers but to keep out our own governments. People seem to be far more concerned about government access to their data than anonymous hackers that gained access.

I guess we'll see in 5 years if the atmosphere around computer security has changed...

Re:Hasn't been sued yet? (2)

morgauxo (974071) | 1 year,20 hours | (#45199715)

More likely it will just get forgotten and ignored. You can't keep the people interested in what their government is doing unless it has a direct and obvious effect on their bank accounts. Even then.. it can be difficult.

Re:Hasn't been sued yet? (1)

Bucky24 (1943328) | 1 year,23 hours | (#45198657)

I have a feeling that by now it's probably "illegal" (by which I mean they have it in their TOS and no one wants to find out if it will stand by challenging it) to bring Verizon into a class action suit.

Re:Hasn't been sued yet? (-1, Flamebait)

Joining Yet Again (2992179) | 1 year,23 hours | (#45198767)

And would you base that statement on pulling things out of your ass, or what?

I find and report vulnerabilities from time to time. I've never had a hostile response. Mind you, I've never threatened to disclose to a wider audience, nor implied that i've used my knowledge in a particular damaging way, nor even attached my name to my Awesome Discovery after it's been fixed in a vain attempt to get recognition.

Re:Hasn't been sued yet? (0)

Anonymous Coward | 1 year,23 hours | (#45198833)

It's not difficult to find cases where this has happened. It was honestly my first thought after reading the article.

Since you obviously didn't bother trying to verify the statement for yourself before attacking the GP, I'm not going to bother finding these references for you. Do it yourself. Just know that you're wrong, and anyone who follows this sort of thing knows it.

Re:Hasn't been sued yet? (2)

Joining Yet Again (2992179) | 1 year,21 hours | (#45199123)

The statement made by the OP was "most of the time".

I can pull up hundreds of articles on murders, but "most people" aren't murdered.

This is like critical analysis 101.

Re:Hasn't been sued yet? (1)

antdude (79039) | 1 year,4 hours | (#45209439)

Maybe it will happen later.

How can it be? (4, Interesting)

scsirob (246572) | 1 year,1 day | (#45198619)

How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online? If I were any more cynical I'd suspect they are sloppy on purpose so they do not have to be bothered by our friends of the NSA. "It's self-service, fetch whatever you need!"

Re:How can it be? (4)

Rosco P. Coltrane (209368) | 1 year,23 hours | (#45198653)

How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online?

Because you think the size of an organization or the level of sensitivity of the data it handles are a guarantee of professionalism? How quaint.

Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ. That's if they don't outsource their services god knows where, where they have no visibility on who does what and how. If you think your data is safe with big concerns, you're deluding yourself.

Re:How can it be? (2)

Thanshin (1188877) | 1 year,23 hours | (#45198759)

Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ.

At first I was scared of being one of the hacks. Then I was scared I might be the one competent employee. Then I understood that was just an estimation and that the real ratio in a specific corporation could be +-1/100.

Re:How can it be? (5, Insightful)

Joining Yet Again (2992179) | 1 year,23 hours | (#45198771)

Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ.

And you know what the worst thing is? Everybody thinks they're the 1 competent employee.

Re:How can it be? (2)

VortexCortex (1117377) | 1 year,19 hours | (#45200275)

Not me! I'm one of the hacks! I don't know how to fix computers, and I'm also alergic to WIFI so I have to work from home, and can only use a smartphone during business hours -- Doctor's orders.

That's my story, and I'm sticking to it!

Re:How can it be? (2, Insightful)

Anonymous Coward | 1 year,23 hours | (#45198685)

Users don't care about security. Everybody uses Whatsapp, that pile of shit with more holes than Swiss cheese. Functionality is more important than security. Time-to-market is more important than security. You can tell people that every call they make is recorded, every SMS datamined, every location tracked. They do not care, because it never hurts them. The privacy apocalypse just doesn't happen. If more than a very small number of people are ever negatively affected by a privacy breach, then the laws will be changed and remedies will be found. It simply does not pay to do it right. Most software never leaves prototype stadium. If it works, ship it. You know the saying: "There's never time to do it right, but there's always time to do it over."

Re:How can it be? (4, Insightful)

l3v1 (787564) | 1 year,23 hours | (#45198781)

"Functionality is more important than security."

For average users, quite true. Non-average users, or ones that really want to keep their communications secret, also know that, and they don't use those services. That's why it makes so many people angry that the communications of masses of people are watched, probably 99.999% of the time totally unnecessarily. of course, there's the good old catch-22 as well, since if they wouldn't watch the common channels, criminals wouldn't need to find better ways to communicate. So, as always, the majority of innocent people get hassled for the hope that the lives of the few criminals become harder. Well, a false hope (you all know Newton's 3rd law, right?), but still a hope.

Philosophical question (1)

Overzeetop (214511) | 1 year,22 hours | (#45198897)

This definitely rates the I word for Verizon's implementation of the feature - especially since, when I went over my quota of data with AT&T one night at 2am while I slept, both CS and TS said they couldn't give me even header data so I knew who/what was sucking my B/W dry. Too much or too little information, never the right amount.

You threw in this line:

the majority of innocent people get hassled

I think the word you're looking for is a very small minority, not majority. Verizon has nearly 100 million users of their network. Your sentence implies that more than 50 million people will be harassed or, at the least, inconvenienced in some non-trivial way by this. I would be rather surprised if the number actually made it passed 10,000, or 1 in 10,000 users. That's equivalent to changing phone carriers and having them assign you the SAME last four digits of your old phone number in the new exchange/area code. A pretty amazingly rare occurrence.

This isn't meant to defend Verizon's absolutely slipshod implementation of their system, just to point out that, for all the moaning and handwaving, the chance of this actually affecting you is diminishingly small.

Re:How can it be? (1)

parkinglot777 (2563877) | 1 year,22 hours | (#45199031)

since if they wouldn't watch the common channels, criminals wouldn't need to find better ways to communicate

Depends on how you define "better ways" to communicate for criminals. It may be a simple solution, but have you ever heard of the old say "if you want to hide a leaf hide it in a forest"? In other words, they do not need to use other ways of communication but rather disguise their communication in the 99.999% you are talking about.

Re:How can it be? (1)

tibman (623933) | about a year ago | (#45214395)

Yikes. It sounds like you are saying criminals (the smart ones) are the ones using secret comms. I would argue that it's the smart non-criminals using secret comms to protect themselves from criminals. For example, do you feel comfortable putting your credit-card info into a form on a non-ssl site? I doubt it. You use secret communication to protect yourself from criminals, because you are not stupid.

Re:How can it be? (1)

jamesh (87723) | 1 year,23 hours | (#45198749)

How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online?

What did you just see?

Re:How can it be? (1)

herve_masson (104332) | 1 year,22 hours | (#45199037)

Backdoors are complex to setup and hide; frontdoors are easyer and can remain unnoticed for very long sometimes.

Re:How can it be? (0)

Anonymous Coward | 1 year,15 hours | (#45204075)

Easier, not easyer.

Re:How can it be? (0)

Anonymous Coward | 1 year,21 hours | (#45199127)

How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online?

The same way specialist application and OS software houses, e.g. Microsoft, have the worst security record on the planet and cost individuals and business billions per year fighting and attempting to prevent exploits in their products.

Re:How can it be? (1)

gstoddart (321705) | 1 year,20 hours | (#45199435)

How is it possible that large organizations such as Verizon fail to include or test even the most trivial security checks before they bring their websites online?

Because security takes time and costs money, and because there's absolutely no real laws compelling corporations to make any effort to do this properly.

How is it possible there isn't a law requiring them to safeguard your personal information and large penalties if they fail to do so? They can mostly just say "oops, sorry" with no penalty so why bother?

If I were any more cynical I'd suspect

You don't need to be more cynical. They do a half assed job of security because they only need to, and because there's no real penalties for being incompetent at implementing security.

So companies let some summer student write the stuff which secures your data, and don't actually give a damn if it works or not. The bottom line is, it's simply more cost effective to do a bad job of this, and there's no real privacy laws with any teeth to make them try harder.

Re:How can it be? (1)

fulldecent (598482) | 1 year,20 hours | (#45199457)

Trust me, the banks are just as bad.

Re:How can it be? (1)

fatphil (181876) | 1 year,20 hours | (#45199555)

But how could it possibly be hacked, they put client-side javascript code in to ensure that the hidden field containing the account number couldn't be modified!?!?!?

relief (0, Flamebait)

harvey the nerd (582806) | 1 year,23 hours | (#45198661)

I am so relieved that an experienced organization like Verizon is riding to the rescue on Obamacare.

Re:relief (1)

Cwix (1671282) | 1 year,21 hours | (#45199321)

Harvey the nerd, or Harvey the partisan troll. It is up to the reader to decide.

What exactly does this story have to do with obamacare?

Please do the world a favor and grow up.

Re:relief (1)

fatphil (181876) | 1 year,20 hours | (#45199629)

The story is to do with Verizon and their compentencies.

One of the things Verizon's competence has just been specifically sought after for is Obamacare - that's in the news, at least here in Europe. Do you not have newspapers where you're from?

Re:relief (1)

tibman (623933) | about a year ago | (#45214457)

You still have newspapers? We have billionaire's blogs that are distributed as hard-copies.

Is this the first story you read this month? (0)

Anonymous Coward | 1 year,19 hours | (#45200471)

Some people can think beyond the story. Perhaps you should, too.

I thougth Obama said... (1)

mschaffer (97223) | 1 year,19 hours | (#45200453)

I thought Obama said they brought in "top IT talent" to fix the problem? Is Verizon know for their websites working flawlessly under high load?

It also makes me think that, why did Obama only now bring in the "top IT talent". He should have started with them to begin with.

Oh, well.

What allows them to store your entire SMS history? (2)

flowerp (512865) | 1 year,23 hours | (#45198665)

The customer pays Verizon to offer a communication service, not a data retention and wiretap service. Thanks.

Re:What allows them to store your entire SMS histo (4, Funny)

Anonymous Coward | 1 year,23 hours | (#45198681)

They tried advertising it as a data retention and wiretap service, but it didn't do so well in focus groups.

Re:What allows them to store your entire SMS histo (1)

gl4ss (559668) | 1 year,23 hours | (#45198801)

probably billing.

would make more sense to only keep the content of premium sms's though.

Re:What allows them to store your entire SMS histo (0)

Anonymous Coward | 1 year,19 hours | (#45200297)

The customer pays Verizon to offer a communication service, not a data retention and wiretap service. Thanks.

So what should Verizon do if you get an SMS (or a hundred) while your phone is off, or out of range? What if your're in Europe for the week? For the month?

Re:What allows them to store your entire SMS histo (1)

tibman (623933) | about a year ago | (#45215003)

Hold it in a delivery queue, just like email and other messaging services.

Noted in the message area.... (0)

Anonymous Coward | 1 year,23 hours | (#45198731)

...anyone who knows a subscriber's phone number to download that user's SMS message history, including the numbers of the people he communicated with. The vulnerability, which has been resolved now...

DAMN!!!

NSA

Re:Noted in the message area.... (1)

Pieroxy (222434) | 1 year,20 hours | (#45199449)

Now it checks that it's either the owner of the number or an NSA employee.

Fits right in with Obamacare website (-1)

Anonymous Coward | 1 year,23 hours | (#45198849)

We're all naked at birth. Who needs privacy just because they've aged! Hail Verizon!

~ Lovely Pimp

Good to know... (1)

EmTeedee (948267) | 1 year,23 hours | (#45198851)

...he reported it Verizon because he is a customer himself.
Not like, you know, because it is the right thing to do.

Re:Good to know... (0)

Anonymous Coward | 1 year,22 hours | (#45198941)

Making sure that deploying appalling software quality remains without consequence, thus encouraging more of the same, is the right thing to do?

Title sounds like a web ad (5, Funny)

Dave Emami (237460) | 1 year,22 hours | (#45198883)

"Learn about this one weird bug that Verizon doesn't want you to know!"

Re:Title sounds like a web ad (1)

VortexCortex (1117377) | 1 year,19 hours | (#45200305)

"TelCo's Hate this one easy trick."

Suuuuuure it's a bug (0)

EmagGeek (574360) | 1 year,22 hours | (#45198889)

Or a "feature" for the NSA.

Redundancy warning (0)

Anonymous Coward | 1 year,22 hours | (#45198901)

said he decided right away to report it to Verizon because he is a Verizon customer and didn't want others to have access to his account information. 'I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn't want my account information to exposed in such way,' Collier said via email."

What's the point of a word-by-word transcription when you're going to insert the actual quote anyway?

Class action law suit? (0)

Anonymous Coward | 1 year,22 hours | (#45198913)

This is not a bug, it's criminal negligence.

The best and brightest? (0)

Anonymous Coward | 1 year,22 hours | (#45198921)

This is the same company that is going to fix healthcare.gov [usatoday.com] ?

Not a bug, but a feature (2)

transporter_ii (986545) | 1 year,22 hours | (#45198955)

Not a bug, but a feature. It was added to make it easier for the NSA to put all of its "metadata" to easy use.

nope...it's a bug. (1)

mschaffer (97223) | 1 year,19 hours | (#45200409)

The NSA already has the metadata. It's a bug.
Unless, of course, it is a documented feature.

Verizon Health Care (1)

sw_crafter (2722551) | 1 year,22 hours | (#45198961)

Verizon brought in to "fix" the health care exchange at healthcare.gov HHS brings in Verizon to help HealthCare.gov [usatoday.com] . Their record does not seem to bode well.

They were too busy fixing ObamaCare (1)

thesandbender (911391) | 1 year,22 hours | (#45198965)

They've been asked to help fix [usatoday.com] ObamaCare.

Planned feature (0)

Anonymous Coward | 1 year,20 hours | (#45199541)

Simple vulnerability, or simple feature? This way requires no warrants. Don't mean to be 'that' guy, but every other day we see a story like this tied to the NSA.

Like pounding 0 on a help line (2)

Impy the Impiuos Imp (442658) | 1 year,20 hours | (#45199551)

By far the fastest way to talk with a real person on Verizon's phone site is to start liiking at phone models. A little box will appear asking of you want to talk to a sales representative. Click yes and they can then help you for other stuff, or at least know what to do.

LERT out of business? (3, Interesting)

Yebyen (59663) | 1 year,19 hours | (#45200061)

When I called Verizon customer service to see if they could send me a log of my text messages, I was informed it would cost me $50 and a letter from my lawyer to their Law Enforcement Response Team (LERT). I am glad to see that just anyone could get that information without any lawyer, $50, or even proving who they are.

Is this facility still available for paying customers of Verizon Wireless, to view their own text message history without the need for a team of lawyers?

I've just tried it on my account, it looks like it is available to the person who is paying my bill but not to myself (the Account Member gets basically no special privileges other than using the phone and viewing aggregate usage statistics to avoid going over the account limits.)

It would have been nice if Verizon had advised me of this service, rather than stonewalling me and telling me to get a lawyer

Amazing technical incompetence (1)

mabu (178417) | 1 year,17 hours | (#45202041)

This really is security 101. Actually it's not even security 101, it's programming 101. You always assume the information fed to you is potentially invalid and qualify it.

How in their right mind could anyone at Verizon not check to see if the account id was legit? This is not a simple oversight. This is gross incompetence, or else it was intentionally left this way.

Don't these companies do security audits?

Compare to Weev case (2)

SpaceLifeForm (228190) | 1 year,16 hours | (#45202523)

Both involved access via web where the web app failed to do proper validation. Apparently Verizon actually handled this well.

Acity024 (1)

Acity024 (3406689) | about a year ago | (#45210463)

Criminals
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?