Privacy hole found in Verizon Wireless Web site

Dan Verton   Today’s Top Stories   or  Other Privacy Stories  

Data Protection and Disaster Recovery with iSCSI and VMware Client Security Podcast Google's Universal Search for Business Ninja: Total Email Security Extending COBOL to SOA, Web Services and Beyond Extend, Replace, or Convert: Which is the Best Way Forward for Extending COBOL to SOA, Web Services and Beyond? SaaS Solutions for Remote Systems Management Learn-Fast Guide: Software as a Service is Growing Up Mobility @ the Speed of Business Sign up to receive Privacy Resource Alerts

September 6, 2001 (Computerworld) -- Security experts discovered a flaw this week in the Web site operated by Verizon Wireless that potentially exposed the private customer information of those who used the Web site to view their personal cell phone bills.

Marc Slemko, a Seattle-based software developer, posted the warning Sept. 1 on the BugTraq security mailing list after notifying Verizon of the problem on Aug. 19 and receiving no response. Half a dozen other security experts later confirmed his findings.

The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in. The IDs are valid until the user logs out or the session times out. However, because it's the only session ID used, Slemko said it's easy to manually access the account of other users by guessing their session IDs. In addition, "automated tools [can] grab this information in bulk as users login over time," he wrote.

The vulnerability put at risk such information as names, addresses, records of calls placed and received, along with the phone number and approximate location of the user when the call was made, according to Slemko and others.

Brian Wood, a spokesman for Bedminster, N.J.-based Verizon Wireless, said IT workers at the company fixed the hole as of 5 a.m. EDT yesterday. When asked why it took Verizon so long to act on Slemko's Aug. 19 alert, Wood said Slemko didn't properly "escalate" his query.

"You have five different options to contact us on the Web site. His e-mail apparently went into the normal e-mail box and was handled by a front-line customer service representative," said Wood. "It kind of got bogged down in the system." However, Wood also said previous security tests run by Verizon on the site hadn't uncovered the flaw.

Wood said the flaw affected only a portion of the users who signed up for online billing. The hole was never an issue for former customers of Bell Atlantic Mobile, GTE Wireless, AirTouch Cellular or PrimeCo Personal Communications -- the companies that now make up Verizon Wireless.

"We've not seen any evidence that someone might have taken advantage of this hole," he said.

However, Verizon, which serves more than 28 million wireless customers, isn't alone in suffering from predictable online session IDs, according to a study presented at last month's 10th annual Usenix security conference by Kevin Fu and two other researchers at the MIT Laboratory for Computer Science. Of the 27 sites they investigated, many were found to

Continued...
1 | 2 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Well, this malware attack approach is a new one to me. If you're like a lot of people, copying and..." Read more... "Angelina Jolie pregnancy was not a hoax; John McCain is not going to Vietnam as part of his presidential campaign;..." Read more... Read more Security posts or See all Blogs

Vista users rush for SP1, XP owners dawdle on SP3 iPhone 3G owner sues Apple over dropped calls, slow speeds Microsoft eases use of Photosynth Facebook hopes new ad scheme can engage users Mozilla names best Firefox 3 add-ons Apple's MobileMe lacks key security feature Get tough on telecommuting: 6 questions to ask before you say yes Comcast: New traffic management plan still in the works Online encyclopedia lists internal network security threats Microsoft seeds WSUS with Windows 7 Client More top stories...

WSJ: Microsoft hires Seinfeld to bite Apple China blocks iTunes, users claim Amazon launches persistent storage in the EC2 cloud iPhone App Store and Web apps a hit with users Microsoft to buy up to $100M in Novell SUSE Linux support vouchers Ericsson, STMicro to form mobile chip venture Wi-Fi in-flight comes to some American routes How to turn a software pirate into a paying customer Yahoo Buzz poses serious threat to Digg, some users say Emergency notification displays to bolster Virginia Tech alert systems

Forgotten PC history: The true origins of the personal computer The x86's lineage can be traced back to 1968, to a design on a napkin drawn by Austin O. "Gus" Roche, an all-but-forgotten engineer in Texas who was obsessed with creating a personal computer. Make Leopard leap: Time-saving tips for OS X 10.5 Are you using the latest version of Mac OS X efficiently? Try our tips and watch your productivity soar. Free Windows XP tuneup: Put new life into an old workhorse Just because Microsoft's done with XP doesn't mean you have to be. Keep XP in the game with these downloads, tweaks and hacks. Opinion: Why the iPhone is Apple's Trojan horse Apple's new iPhone software is more significant for IT than the new iPhone itself, says Michael Gartenberg. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland Security Apple's iPhone Ask a Premier 100 IT Leader Bill Gates steps down BlackBerry Legal Battle Data Security Breaches Electronic Voting Firefox H-1B Visas HP's Boardroom Scandal Handheld Devices Hurricane Katrina Aftermath Microsoft Legal Issues Microsoft's Vista Open Source RFID Technology SCO's Linux Fight Sarbanes-Oxley Act Spam Voice Over IP Wi-Fi Windows Meta File Vulnerability Windows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class 2006 Computerworld Horizon Awards 2006 Premier 100 IT Leaders 2006 Salary Survey 2007 Best Places to Work in IT 2007 IT Forecast 2007 Premier 100 IT Leaders 40 Years of Computerworld ASPs, Take Two Best Places to Work in IT 2003 Best Places to Work in IT 2004 Best Places to Work in IT 2005 Best Places to Work in IT 2006 Business Intelligence Home Runs Business Intelligence: Smarter BI Business Intelligence: The Future of BI CRM Goes Vertical CRM: Sober CRM Career Planning Guide 2005 Careers: IT Profession 2010 Computerworld Horizon Awards 2005 Data Management: Mining for Gems Data Management: Taming Data Chaos Development: Hard-Workin' Web Sites Development: New Tools New Choices Development: The New World of Application Development Development: The Web Services Tsunami Development: Web Services Hurdles Disaster Recovery: Preparing for the Worst E-commerce Grows Up E-mail/Groupware: Big Decisions Faces of Mobile IT Forecast 2006 Global Mobile Hardware: Multiple Cores, Multiple Challenges Hardware: On-Demand Un-Hyped Hardware: The Shape of Things to Come Horizon Awards: 10 Cool Cutting Edge Technologies IT Management: Guide to Managing Vendors IT Management: Navigating Global IT IT Management: Recovery Ahead IT Management: The Future of IT IT Management: The Resourceful Project Manager Innovative Technology Awards 2004 Management: Reinventing IT Microsoft in Transition Mobile/Wireless Leaders and Laggards Mobile/Wireless: The Untethered Worker Mobile/Wireless: Tiny Gadgets, Huge Costs Network Management: Taking Control Networking: Turbulence Ahead! Networking: VoIP Goes Mainstream Operating Systems: In the Slow Lane Operating Systems: Linux Goes Global Operating Systems: Should You Nix Unix? Outsourcing: Offshore Buyer's Guide Outsourcing: Outsourcing Dangers Premier 100 IT Leaders 2004 Best in Class Premier 100 IT Leaders 2005 Best in Class ROI: Do the Math! Salary Survey 2003 Salary Survey 2004 Salary Survey 2005 Security Action Plan Security: Compliance Headaches Security: Proactive Security Security: Risk and Reward Security: Tips From Security Pros Souped-up Security Storage: Battling Complexity Storage: Cheap & Secure Data Stores Storage: Stretching Your Storage Dollars Storage: The Lean Storage Machine Storage: The New Rules of Storage Storage: The Ultimate Backup Guide Supply Chain: Missing Links Supply Chain: RFID Reality Check The Business of Security Web 2.0 Security Wireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone The File Data Management Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Business Intelligence and Analytics Zone Windows Protection Zone Identity & Security Management Zone See your link here

Why SaaS is Vital to Email and Web Security Why SaaS is Vital to Email and Web Security Download this free webcast, for a limited time, compilments of Webroot Software! Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Windows® Enterprise Data Protection with Symantec Backup Exec™ Get this white paper now! (Source: Symantec) With data protection becoming more distributed and IT resources increasingly constrained, businesses need a centralized data protection strategy that can manage multiple backup and recovery jobs. Learn how to address these critical enterprise challenges with dynamic disk-based data protection. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Leading Analyst Firm: Penetration Testing is a Requirement Gartner Paper: US Data Centers - The Calm Before the Storm How Much Will an Office 2007 and Vista Migration Hurt? View more whitepapers

• Vista users rush for SP1, XP owners dawdle on SP3
• WSJ: Microsoft hires Seinfeld to bite Apple
• iPhone 3G owner sues Apple over dropped calls, slow speeds
• More top stories 

Identity & Security Management Solve your compliance problems and mitigate risk. Automate, validate and enforce business governance with Novell Identity Management and Security solutions. Learn more in the Identity & Security Management Zone See All Zones

In Security Stripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied

Computerworld Technology Briefing: Super-charging the Data Center Virtualization is about a lot more than just lowering total cost of ownership. In fact users that have taken an open source path to virtualization have realized the additional, mission-critical benefit of markedly reduced IT complexity, as well as a more flexible infrastructure that is easier to change to meet shifting, often unpredictable business requirements. Download this briefing

• Apple posts iPhone 2.0.2 update; users say 3G problems remain

• Wi-Fi tweaks for speed freaks

• Blog: If it's animation or special effects, it's Linux

Read more news 

• Ohh!

• Missing links?

Read more Shark Bait