- Security experts discovered a flaw this week in the website operated by Verizon Wireless that potentially exposed the private customer information of those who used the website to view their personal cell phone bills.
Marc Slemko, a Seattle-based software developer, posted the warning September 1 on the BugTraq security mailing list after notifying Verizon of the problem on August 19 and receiving no response. Half a dozen other security experts later confirmed his findings.
The privacy hole affected users who logged on to the Verizon Wireless website and used the "My Account" feature to view or change their cellphone billing and account information. The website address for the feature assigns session identifications sequentially as each user logs in. The IDs are valid until the user logs out or the session times out. However, because it's the only session ID used, Slemko says it's easy to manually access the account of other users by guessing their session IDs. In addition, "automated tools [can] grab this information in bulk as users login over time," he writes.
The vulnerability put at risk such information as names, addresses, records of calls placed and received, along with the phone number and approximate location of the user when the call was made, according to Slemko and others.
Brian Wood, a spokesman for Bedminster, New Jersey-based Verizon Wireless, says IT workers at the company fixed the hole as of 5am EDT on Wednesday (midnight Thursday New Zealand time). When asked why it took Verizon so long to act on Slemko's August 19 alert, Wood says Slemko didn't properly "escalate" his query.
"You have five different options to contact us on the website. His email apparently went into the normal email box and was handled by a frontline customer service representative," says Wood. "It kind of got bogged down in the system." However, Wood also says that previous security tests run by Verizon on the site had not uncovered the flaw.
Wood says the flaw only affected a portion of the users who signed up for online billing. The hole was never an issue for former customers of Bell Atlantic Mobile, GTE Wireless, AirTouch Cellular or PrimeCo Personal Communications -- the companies that now make up Verizon Wireless.
"We've not seen any evidence that someone might have taken advantage of this hole," he says.
However, Verizon, which serves more than 28 million wireless customers, isn't alone in suffering from predictable online session IDs, according to a study presented in August at the 10th annual Usenix security conference by Kevin Fu and two other researchers at the MIT Laboratory for Computer Science. Of the 27 sites they investigated, many were found to have inadequate user authentication capabilities.
"We weakened the client authentication on two systems, gained unauthorised access on eight and extracted the secret key used to mint authenticators from one," the researchers wrote in their study, Dos and Don'ts of Client Authentication on the Web. The researchers extracted the secret key from the website of The Wall Street Journal, which could have allowed them to log in as a user and gain free access to the paid subscription site, according to Fu.
Lack of a central infrastructure such as a public-key infrastructure contributes to the proliferation of weak authentication schemes, the researchers concluded. In addition, similar holes can result from the use of what the researchers call "persistent cookies," which are placed on the user's hard drive when a website is visited.
However, an error in the way web browsers or users handle the cookie file may make it accessible over the internet, exposing the user's cookies to anyone who knows where to look, according to Fu's study. "If a persistent cookie in a leaked file contains an authenticator, an adversary can simply copy the cookie and break into the user's account. For these reasons, persistent cookies should not be considered private."