Researcher: Verizon Security Glitch Left Customer Information Vulnerable
Verizon Communications (NYSE:VZ) has finally fessed up to and fixed a security glitch found by a researcher at Prvsec that allowed anyone with a Verizon username and password easy access to the texting information of all other Verizon customers, The Verge reports.
The glitch involved the Verizon website’s “download to spreadsheet” function, which allows Verizon customers to log in and download a file of the date, time, and recipient of their most recent text messages. Before the glitch was fixed, a Verizon customer could type in the phone number of any other Verizon customer to see the same information about the texts sent from that person’s phone. Engadget pointed out that the actual content of the messages could not be accessed, but being able to access when and to whom text messages were sent is a serious privacy failing in and of itself.
The Prvsec researcher discovered the flaw in August, and up until it was fixed in September, the texting information of tens of millions of Verizon customers was vulnerable. It was then another month before Verizon made the issue public, on Monday. “I’m a Verizon customer myself,” the unnamed researcher told The Verge after explaining that he contacted Verizon as soon as he discovered the flaw and made sure it wasn’t made public before it was fixed, “so I wouldn’t want my own data exposed this way.”
Verizon confirmed with The Verge that the glitch has been fixed, saying: “Verizon takes customer privacy seriously. As soon as this was brought to the attention of our security teams, we addressed it, and no customer information was impacted.”
The researcher’s report, which was seen by The Verge, complained about how difficult it was for him to bring the problem to Verizon’s attention, including a lengthy process just to contact Verizon’s security team and a period of weeks that went by between being notified about the bug and fixing it. “They need to make it easier to reach out,” the researcher said to the publication.
Engadget called the ability to get Verizon’s attention at all a “victory,” as up until this issue occurred, the company had no dedicated contact for security flaws. The press coverage of the hack will hopefully encourage Verizon, the nation’s largest wireless carrier, to be more proactive about security flaws in the future.
Follow Jacqueline on Twitter @Jacqui_WSCS