A rudimentary URL hack may have exposed texting data for tens of millions of Verizon customers, according to a new report from security researcher Prvsec. The vulnerability was reportedly fixed in September, a month after Prvsec privately disclosed it to the carrier, but before it was addressed it allowed attackers to see who Verizon users texted and when, provided they had a subscriber-level login to the carrier's website.
Who users texted and whenThe hack centers on the Verizon website's "download to spreadsheet" function, which allows subscribers to download a CSV file of the time, date, and recipient of their recent texts. Unfortunately, the URL for that download contained the subscriber's phone number, and simply changing the phone number in the URL would let a user download that number's spreadsheet. As recently as August, there were no safeguards to ensure that the person downloading the spreadsheet owned that number, potentially exposing tens of millions of Verizon customers' contact lists and texting habits.
Speaking to The Verge, the Prvsec researcher emphasized that he had disclosed the vulnerability responsibly, with no ill intent, and made sure it did not become public before the carrier had a chance to fix it. "I'm a Verizon customer myself," the researcher says, "so I wouldn't want my own data exposed this way." At the same time, the story leaves lingering concerns over Verizon's security practices. the post complains of a lengthy and intricate process simply to contact the security team, and months going by with no updates as to the status of the bug. "They need to make it easier to reach out," the researchers says. Otherwise, more serious vulnerabilities could still be going unreported.
Update: A Verizon representative confirmed the Prvsec report to the matter, saying, "Verizon takes customer privacy seriously. As soon as this was brought to the attention of our security teams, we addressed it, and no customer information was impacted."