A sanity check failed to exist in ebillpay's unbilled-usage modules to to correlate phone numbers with accounts. This could have been used by a malicious user to mine data through Verizon Wireless' website about other Verizon Wireless customers.
f353ab176a9e04fc59c8897a00b39596a2da68f7d47cbb92dfe69650f1cefb42
--Apple-Mail-1--567951525
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
Jonathan A. Zdziarski
Nuclear Elephant
August 11, 2005
Description: East-Coast Verizon Wireless Customer Data at Risk
Synopsis:
Verizon Wireless customers in the east may have had limited personal
information about their account viewed by other Verizon Wireless
customers up until early August 11, 2005, when the problem was
corrected by Verizon Wireless' Security Response Team.
The problem appears to have been localized to the systems containing
information about Verizon Wireless customers in the east, or
approximately one third of the customer base. Therefore, only
customers living in the east were at risk for having any personal
information leaked.
The problem was confirmed fixed on August 11 at 2AM EST by a Verizon
Wireless Information Security Team member, and tested and confirmed
fixed by Nuclear Elephant.
About the Vulnerability:
A sanity check failed to exist in ebillpay's unbilled-usage modules
to to correlate phone numbers with accounts. This could have been
used by a malicious user to mine data through Verizon Wireless'
website about other Verizon Wireless customers. The data available
included statement activity such as current balance and last payment
made, and usage information. It may have also been possible at one
point to activate a handset on another customers' phone number (this,
however, remained unconfirmed due to the entire activation tool being
unavailable at the time the vulnerability was discovered; Verizon
Wireless has not commented on whether this particular vulnerability
existed).
Contact Information:
Jonathan Zdziarski
jonathan@nuclearelephant.com
Tom Pica
Verizon Wireless
Thomas.Pica@VerizonWireless.com
908-306-4385
Original URL:
http://www.nuclearelephant.com/papers/verizon.html
Notes:
This advisory is in no way affiliated with Verizon Wireless and is
informational only
--Apple-Mail-1--567951525
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">Jonathan A. =
Zdziarski</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Nuclear Elephant</FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">August 11, =
2005</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Description: East-Coast Verizon Wireless Customer Data =
at Risk</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Synopsis:</FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Verizon Wireless customers in the east may have had =
limited personal</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">=A0</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">information about their account viewed by other Verizon =
Wireless customers up</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">=A0</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">until early August 11, 2005, when the problem was =
corrected by Verizon</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">=A0</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">Wireless' Security Response Team.</FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Courier; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">The problem appears to have =
been localized to the systems containing=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">information about Verizon =
Wireless customers in the east, or approximately one</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">third of the customer base. =
Therefore, only customers living in the east were</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">at risk for having any =
personal information leaked.</FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Courier">The =
problem was confirmed fixed on August 11 at 2AM EST by a Verizon =
Wireless=A0</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">Information Security Team member, and tested and =
confirmed fixed by Nuclear=A0</FONT><FONT class=3D"Apple-style-span" =
face=3D"Courier">Elephant.</FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">About the Vulnerability:</FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Courier; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">A sanity check failed to =
exist in ebillpay's unbilled-usage modules to=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">to correlate phone numbers =
with accounts. This could have been used by a</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">malicious user to mine data =
through Verizon Wireless' website about other</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">Verizon Wireless customers. =
The data available included statement activity such=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">as current balance and last =
payment made, and usage information. It may have=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">also been possible at one =
point to activate a handset on another customers'=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">phone number (this, however, =
remained unconfirmed due to the entire activation=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">tool being unavailable at =
the time the vulnerability was discovered; Verizon=A0</FONT><FONT =
class=3D"Apple-style-span" face=3D"Courier">Wireless has not commented =
on whether this particular vulnerability existed).</FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Courier; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Contact Information:</FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Courier; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">Jonathan =
Zdziarski</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier"><A =
href=3D"mailto:jonathan@nuclearelephant.com">jonathan@nuclearelephant.com<=
/A></FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Courier">Tom =
Pica</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Verizon Wireless</FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier"><A =
href=3D"mailto:Thomas.Pica@VerizonWireless.com">Thomas.Pica@VerizonWireles=
s.com</A></FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">908-306-4385</FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 12px/normal Courier; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier">Original URL:</FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 12px/normal Courier; min-height: 14px; =
"><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier"><A =
href=3D"http://www.nuclearelephant.com/papers/verizon.html">http://www.nuc=
learelephant.com/papers/verizon.html</A></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Courier"><BR =
class=3D"khtml-block-placeholder"></FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">Notes:</FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Courier"><BR =
class=3D"khtml-block-placeholder"></FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier">This advisory is in no way =
affiliated with Verizon Wireless and is informational =
only</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Courier"><BR class=3D"khtml-block-placeholder"></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Courier"><BR =
class=3D"khtml-block-placeholder"></FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Courier"></FONT></DIV></BODY></HTML>=
--Apple-Mail-1--567951525--