Petronella Blog Archive

Visit our New Blog

Giant Hole in Verizon’s Security

Blog Post

Until recently, a flaw in Verizon’s website could have allowed even the most talentless hackers access to customer data. The problem originated within the company’s customer service website, where it was discovered that gaining control of another customer’s account and in turn, account information, isn’t very challenging at all. Here’s how it was accomplished:

First, you simply need a free Firefox extension known as “X-Forwarded-For Header.” This extension allows one to impersonate another user’s IP address, assuming that they know another IP address to impersonate. The most inexperienced hacker in the world could do this by establishing some sort of link with another person, whether it’s through a link in an email or even an online game. If this person is a Verizon customer- Bingo! On to step 3. Using the IP address obtained through contact with a Verizon customer, simply insert it into the Firefox extension, thus establishing your computer as another’s in Verizon’s customer support website’s eyes. From here, the website should recognize you as that customer and may even say “Hello,(insert fake ID).”

At this point, all you need to do is some smooth talking. Using the source code within the website’s customer support pages you can find the true account user’s email address and phone number, and those two things combined with the account name are sometimes enough to request a password reset. If the account has a PIN, all you need to do is discover the amount of the last payment, which customer support will take in place of a “forgotten PIN.” Conveniently, you don’t need to overcome any actual security measures when obtaining the amount of the last payment. Armed with the true account owner’s name, email address, phone number, and payment info, you’re only a call away from a new password and top secret customer information.

If this vulnerability were to be taken advantage of, things like credit card information and social security numbers would be up for grabs. Luckily, this hole in security was discovered by Eric Taylor, the chief internet security officer of Cinder. Taylor tipped off BuzzFeed News to the issue under the condition that they alert Verizon to the matter before the public. Verizon had time to fix the vulnerability before it was shared with the internet, but not before BuzzFeed’s Joseph Bernstein investigated the matter himself- verifying that the flaw was very real and potentially very dangerous.