Thursday, August 11, 2005

Verizon Wireless Personal Data Advisory

Via NuclearElephant.com.

Synopsis:

Verizon Wireless customers in the east may have had limited personal information about their account viewed by other Verizon Wireless customers up until early August 11, 2005, when the problem was corrected by Verizon Wireless' Security Response Team.

The problem appears to have been localized to the systems containing information about Verizon Wireless customers in the east, or approximately one third of the customer base. Therefore, only customers living in the east were at risk for having any personal information leaked.

The problem was confirmed fixed on August 11 at 2AM EST by a Verizon Wireless Information Security Team member, and tested and confirmed fixed by Nuclear Elephant.

About the Vulnerability:

A sanity check failed to exist in ebillpay's unbilled-usage modules to to correlate phone numbers with accounts. This could have been used by a malicious user to mine data through Verizon Wireless' website about other Verizon Wireless customers. The data available included statement activity such as current balance and last payment made, and usage information. It may have also been possible at one point to activate a handset on another customers' phone number (this, however, remained unconfirmed due to the entire activation tool being unavailable at the time the vulnerability was discovered; Verizon Wireless has not commented on whether this particular vulnerability existed).

0 Comments:

Post a Comment

<< Home