Eric Taylor, chief information security officer at Cinder, gave a tip to Buzzfeed about a vulnerability in Verizon‘s security discovered by Taylor and Blake Welsh, students at Anne Arundel Community College in Maryland, on the condition that they first inform Verizon about the issue before publishing an article on it —which they did.
The flaw was in the way Verizon recognizes its customers through their IP address. As long as you were able to mask your IP address and show it as an IP address that Verizon recognized, it automatically displayed the name, location, phone number, and email address of the IP address user. This information was enough to take over a Verizon account.
To test the vulnerability, Buzzfeed used an older version of Firefox and downloaded an extension called “X-Forwarded-For Header” that lets you impersonate any IP address of your choosing. Buzzfeed then impersonated an IP address of a Verizon user who volunteered to have Buzzfeed take over his account. The moment Buzzfeed impersonated the user’s IP address, Verizon customer service greeted them by name— the name of the real user, that is. Using the information given to them directly by customer service, Buzzfeed was able to successfully ask for a password reset. Luckily, a password reset was the only thing requested. If this vulnerability were discovered by a criminal, things could have gone badly, and they would have access to users’ credit card and bank information, health records, and even social security numbers.
Fortunately, though, Verizon confirmed that no one was affected in the brief time this flaw existed and that if they did discover that people’s accounts had been breached, they would call them immediately and inform them. Verizon told Buzzfeed that the flaw was due to an programming error in the website’s code on April 22, 2015.
To read more on this topic, click here.