With its $4.4 billion purchase yesterday of AOL, the telecom giant Verizon gained millions of new home internet customers. But a glaring security flaw suggests they may have put millions of their existing internet customers at risk.
BuzzFeed News has learned of a vulnerability in Verizon’s service that could have allowed anyone to view the personal information of any of its 9 million home internet customers simply by visiting its website with a spoofed IP address — the very same personal information that can be used to obtain password resets and gain full control over those home accounts.
Verizon fixed the security loophole after being notified of it by BuzzFeed News.
BuzzFeed News was able to verify this vulnerability multiple times, on multiple accounts, with the explicit and repeated permission of the account holders.
Your IP address is a unique number assigned to your internet-connected devices that lets other computers identify you. It’s in the header of emails you send, and can be easily sussed out by savvy hackers if you, say, make a Skype call, play games online with Xbox, or click on the wrong link in an email. But it wouldn’t have taken a savvy hacker to pull off this Verizon exploit. In fact, all you need is a Firefox plug-in — one of hundreds of browser-specific programs that people use to do things like block display ads or sync their bookmarks between browsers.
Last week, BuzzFeed News received a tip from Eric Taylor — now the chief information security officer of a company called Cinder, but probably better known by his former hacking alias, Cosmo the God. Taylor and Blake Welsh, a student at Anne Arundel Community College in Maryland, had found a way to easily access Verizon user information by spoofing IP data. They passed along the information to BuzzFeed News on the condition that we would report it to Verizon before publishing — which we did.
The vulnerability existed because Verizon’s customer support website identifies you through your computer’s IP address. Since this address is generated by your internet service provider, what it’s really looking for is if you’re hitting its page with an IP address that Verizon recognizes. Because those IP addresses are unique to each home internet customer, when it sees one it recognizes, it assumes it knows who you are, and until we informed Verizon of the flaw, it automatically displayed things like your location, your name, your phone number, and your email address. And that’s really all you need to take control of a Verizon account.
Within a few hours of the tip, and despite having no technical background, with the explicit permission of several Verizon account holders, I was able to convince Verizon customer service to reset an account password, giving me total control of a Verizon account. It was surprisingly easily done.
It took me only two downloads, copy and pasting some information from an email, and a few interactions with Verizon customer support. It was just a matter of following step-by-step instructions. In other words, if you can follow a recipe, you could have probably gotten a Verizon password reset.
First, I downloaded a particular old version of Firefox (20, in case you were wondering). Then I downloaded “X-Forwarded-For Header,” a simple Firefox extension that lets your browser impersonate an IP address of your choosing. I popped a Verizon user’s IP address — which I gleaned from the header of an email sent to me by one of the volunteers who had given me permission to gain control of his account — into the extension.
I then navigated to the Verizon customer support page, which showed my location in another state — the state of the accounts I was using (with permission) to test this method. Although I work in New York, the page displayed my location as D.C. It also greeted me by name — but not my name, the name on the account.
There was further confirmation that I had fooled the site — the support page showed the make and name of each of the Verizon devices in the home of our test account:
From here, there were two easy ways to pull personal information. The first was to click on the option for a live chat with a Verizon customer service rep. That opened a pre-chat page that auto-populates with the name of the customer and their phone number.
The other way was to open the source code of any of the pages within the support section. These all showed the same information, plus an email address and a mobile phone associated with the account.
These pieces of information — name, telephone numbers, and email — were all I needed (and more frighteningly, all a malicious hacker would have needed) to convince Verizon customer service that I was a customer in need of a password reset.
Even worse, customer support gave me that reset information despite the customer having a security PIN set up. In order to get a reset when someone has set a PIN, Verizon customer support requires either that number, the amount of the most recent payment, or access to the phone listed on the account; Verizon will call customers at that number with their PIN. None of these were listed in the source code, and I obviously didn’t have access to the account phone.
So I called back, and asked for the amount of my last payment, claiming to be balancing my checkbook. Verizon happily gave it to me. Now armed with one of the requisite pieces of verification information, I called back a third time and got a friendly rep to reset the password. We were able to successfully repeat this procedure on demand.
If I were a criminal, this is where the really bad stuff would have started. For someone who uses a Verizon email address, if I had wanted to I could have reset that and combed through it for credit card and bank information, health records, Social Security numbers — the works. Depending on which Verizon services the account uses, I could have changed their voicemail password, changed their internet subscription package, canceled their television, etc.
And there are all sorts of other things that one could use this personal information for — including as verification for other accounts. It’s very common for hackers to leverage information found in one place to get password resets in another. What’s more, it also means that law enforcement could obtain the identity of anyone with a Verizon IP address, without a court order.
After fixing the vulnerability, Verizon gave BuzzFeed News the following statement:
“Once it was brought to our attention, our experts immediately investigated the issue and repaired the error within hours. We appreciate the responsible manner in which Buzzfeed brought this matter to our attention. Addressing issues like this collaboratively is a constructive addition to our continuous actions to safeguard the security of customers’ information.”
The security subsection of the support page for Verizon FiOS internet, used by 6.6 million American households, reads: “Shopping online, using email, or surfing the Internet shouldn’t leave you feeling vulnerable to virus attacks, identity theft or other security breaches.” Until Verizon makes sure flaws as simple and easy to exploit as this one don’t exist, their millions of customers, old and new, will feel just that: vulnerable.
According to a Verizon spokesperson, Alberto Canal, the vulnerability was due to a error programmed in the website’s code on April 22 of this year.
In an additional statement to BuzzFeed, Verizon spokesperson Alberto Canal wrote, “We have no reason to believe that any customers were impacted by this, other than those who’s information was used by Buzzfeed. If we discover that any were, we will contact them directly.”