lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <00A7D37D-39ED-43CD-A017-A33D85B85331@nuclearelephant.com>
Date: Thu Aug 11 14:48:48 2005
From: jonathan at nuclearelephant.com (Jonathan Zdziarski)
Subject: Verizon Wireless Personal Data Advisory

Jonathan A. Zdziarski
Nuclear Elephant
August 11, 2005

Description: East-Coast Verizon Wireless Customer Data at Risk

Synopsis:

Verizon Wireless customers in the east may have had limited personal  
information about their account viewed by other Verizon Wireless  
customers up until early August 11, 2005, when the problem was  
corrected by Verizon Wireless' Security Response Team.

The problem appears to have been localized to the systems containing  
information about Verizon Wireless customers in the east, or  
approximately one third of the customer base. Therefore, only  
customers living in the east were at risk for having any personal  
information leaked.

The problem was confirmed fixed on August 11 at 2AM EST by a Verizon  
Wireless Information Security Team member, and tested and confirmed  
fixed by Nuclear Elephant.

About the Vulnerability:

A sanity check failed to exist in ebillpay's unbilled-usage modules  
to to correlate phone numbers with accounts. This could have been  
used by a malicious user to mine data through Verizon Wireless'  
website about other Verizon Wireless customers. The data available  
included statement activity such as current balance and last payment  
made, and usage information. It may have also been possible at one  
point to activate a handset on another customers' phone number (this,  
however, remained unconfirmed due to the entire activation tool being  
unavailable at the time the vulnerability was discovered; Verizon  
Wireless has not commented on whether this particular vulnerability  
existed).


Contact Information:

Jonathan Zdziarski
jonathan@...learelephant.com

Tom Pica
Verizon Wireless
Thomas.Pica@...izonWireless.com
908-306-4385

Original URL:

http://www.nuclearelephant.com/papers/verizon.html

Notes:

This advisory is in no way affiliated with Verizon Wireless and is  
informational only


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050811/65b27009/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ