A researcher has disclosed a vulnerability he discovered in Verizon Wireless’s Web-based customer portal which would have allowed for users’ SMS text messages and information to be downloaded only requiring knowledge of the target’s mobile phone number.
The flaw, which Verizon says has been mitigated, was uncovered and reported to the company by security researcher Cody Collier, who himself is a Verizon customer.
“I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn’t want my account information to exposed in such way,” said Collier.
Collier discovered that the web application designed to let customers check on their own text message history failed to prevent users from altering the phone number in the URL, allowing anyone to check another customer’s records, including the phone numbers of the parties receiving the messages.
“This was reported in responsible disclosure, so I don’t see how this is being compared to Weev who had malicious intent,” Collier said.
Read More Here…