Verizon Flaw Allowed Privileged Customer Access Through IP Spoofing

Buzzfeed uncovered – and Verizon closed – a gaping security hole in Verizon’s customer service systems. The exploit was based on Verizon’s seemingly unprotected customer information page that appeared when users visited a certain website from an IP address familiar to Verizon’s servers. This meant that someone with knowledge of a customer’s IP address – the dotted number series that essentially identifies computers on a network – would be able to view private information about that user including their email, phone number, and devices on their Verizon plan.

Former hacker and current chief information security officer at Cinder, Eric Taylor aka Cosmo the God, and a student named Blake Welsh discovered the exploit and notified Verizon before going public with the information. To perform the hack a user would have to have access to the victim’s IP address and a browser capable of spoofing an IP address. Ultimately, by grabbing basic information about a user, the hacker could reset the user’s Verizon account password and then move on into various customer-only features. In fact, in a long description, Buzzfeed writer Joseph Bernstein was able to convince Verizon technical support to change the passwords of Verizon customers who agreed to give up their IP addresses.

Was customer data truly in danger? Yes, but with some caveats. Like the infamous AT&T “hack” allegedly perpetrated by Andrew Auernheimer aka weev, this was entirely Verizon’s fault. Using something as simplistic as an IP address to expose user data was, at best, irresponsible. Users who actively used their Verizon email addresses could have been hacked and passwords and credit cards stolen. At the very least hackers could have accessed customer data, turned on and off services, and eventually listened to user voicemails. Verizon said in a statement that no customer data was accessed in this way.

Taylor, for his part, is glad the hole is now closed.

“All-in-all it was an epic exploit, but if we didn’t report it could have ended up in the wrong hands and it would’ve been a disaster,” said Taylor. “The customer data that was exposed via this vulnerability was enough for anyone to receive a password reset on any Verizon account as well.”

“There are so many ways it could have played out if the vulnerability ended up in the wrong hands,” he said.