- The exposed contracts contained information such as full name, address, mobile number, and signature of customers.
- It also included the model and the serial number of the device brought by customers.
A series of vulnerabilities discovered in Verizon Wireless systems could have been exploited by hackers to gain access to 2 million customer contracts.
What’s the matter?
The issue came to the light while UK-based researcher Daley Bee was analyzing a subdomain of Verizon Wireless systems.
The subdomain ‘telestore.verizonwireless.com’ is used for employees to access internal Point of Sales tools and view customer information.
Using Google dorks, Bee was able to find some valid paths of Verizon Employee tools and began to ‘dirsearch’ them for more directories and files.
“From the Google Dorking, I also learnt the path used to view Verizon Wireless Pay Monthly customers contracts in PDF format – although we had to be authenticated for this – that always leading to a 404. I bruteforced GET parameters to find the a parameter and the m parameter,” added the researcher.
What data was exposed?
The exposed contracts contained information such as full name, address, mobile number, and signature of customers. It also included the model and the serial number of the device brought by customers.
Bee determined that there were a total of roughly 2 million valid combination parameters affected by the IDOR flaw.
“After a quick check, I learnt that 1310000000 was the lowest contract number that could be viewed and 1311999999 was the highest. That means that there was information of around 2 million Verizon Pay Monthly customers exposed,” Bee explained in a blog post.