Security experts have uncovered a flaw in a Web site operated by
Verizon Wireless, which has the potential to expose details of
users' personal cell phone bills.
Marc Slemko, a Seattle-based software developer, posted the warning
1 September on the BugTraq security mailing list after notifying
Verizon of the problem on 19 August and receiving no response. Half
a dozen other security experts later confirmed his findings.
The privacy hole affected users who logged on to the Verizon
Wireless Web site and used the "My Account" feature to view or
change their cell phone billing and account information.
The Web site address for the feature assigns session
identifications sequentially as each user logs in. The IDs are
valid until the user logs out or the session times out. However,
because it's the only session ID used, Slemko said it is easy to
manually access the account of other users by guessing their
session IDs. In addition, "automated tools can grab this
information in bulk as users log-in over time," he wrote.
The vulnerability puts at risk such information as names,
addresses, records of calls placed and received, along with the
phone number and approximate location of the user when the call was
made, according to Slemko.
Brian Wood, a spokesman for Verizon Wireless, said IT workers at
the company repaired the flaw yesterday. When asked why it took
Verizon so long to act on Slemko's alert, Wood said Slemko did not
"escalate" his query properly.
"You have five different options to contact us on the Web site," he
said. "His e-mail apparently went into the normal e-mail box and
was handled by a frontline customer service representative. It kind
of got bogged down in the system."
However, Wood also said that previous security tests run by Verizon
on the site had not uncovered the flaw.
"We've not seen any evidence that someone might have taken
advantage of this hole," he said.