Verizon vulnerability exposed customers' data2015-05-14 10:07 by Daniela
Tags: Verizon, vulnerability
Former hacker Eric Taylor aka Cosmo the God, and a student named Blake Welsh have discovered a vulnerability in Verizon system that would allow attackers to gain access to the personal information of Verizon Internet customers with just a browser plug-in and a spoofed IP address.
Taylor and Welsh got a Verizon user's IP address from the header of an email sent to them by one of the volunteers who had given them permission to gain control of his account. With the help of "X-Forwarded-For Header," a Firefox extension that allows a browser to impersonate any IP address — they visited Verizon's website with the spoofed IP address.
The problem came from the fact that Verizon's customer support website identifies users through their computer's IP address. Since the address is generated by the internet service provider, it just needs to know whether a customer is visiting the page with an IP address that Verizon recognizes. And as those IP addresses are unique to each home internet customer, when the system detects one it recognizes, it assumes it knows who you are, and automatically display personal information like your location, your name, your phone number, and your email address. And that data is sufficient for an attacker to take control of a Verizon account.
The founders were able to verify this vulnerability multiple times, on multiple accounts, with the explicit and repeated permission of the account holders. The flaw used to expose at risk any of Verizon's 9 million home internet customers. The carrier has been notified before the information was made public. It has already patched the flaw.
Read more -here-