A simple browser plug-in was all you needed to gain access to the internet giant’s customer accounts.

Verizon 2015 Data Breach Investigations Report / Via

With its $4.4 billion purchase yesterday of AOL, the telecom giant Verizon gained millions of new home internet customers. But a glaring security flaw suggests they may have put millions of their existing internet customers at risk.

BuzzFeed News has learned of a vulnerability in Verizon's service that could have allowed anyone to view the personal information of any of its 9 million home internet customers simply by visiting its website with a spoofed IP address — the very same personal information that can be used to obtain password resets and gain full control over those home accounts.

Verizon fixed the security loophole after being notified of it by BuzzFeed News.

BuzzFeed News was able to verify this vulnerability multiple times, on multiple accounts, with the explicit and repeated permission of the account holders.

Your IP address is a unique number assigned to your internet-connected devices that lets other computers identify you. It's in the header of emails you send, and can be easily sussed out by savvy hackers if you, say, make a Skype call, play games online with Xbox, or click on the wrong link in an email. But it wouldn't have taken a savvy hacker to pull off this Verizon exploit. In fact, all you need is a Firefox plug-in — one of hundreds of browser-specific programs that people use to do things like block display ads or sync their bookmarks between browsers.

Last week, BuzzFeed News received a tip from Eric Taylor — now the chief information security officer of a company called Cinder, but probably better known by his former hacking alias, Cosmo the God. Taylor and Blake Welsh, a student at Anne Arundel Community College in Maryland, had found a way to easily access Verizon user information by spoofing IP data. They passed along the information to BuzzFeed News on the condition that we would report it to Verizon before publishing — which we did.

The vulnerability existed because Verizon's customer support website identifies you through your computer's IP address. Since this address is generated by your internet service provider, what it's really looking for is if you're hitting its page with an IP address that Verizon recognizes. Because those IP addresses are unique to each home internet customer, when it sees one it recognizes, it assumes it knows who you are, and until we informed Verizon of the flaw, it automatically displayed things like your location, your name, your phone number, and your email address. And that's really all you need to take control of a Verizon account.

Within a few hours of the tip, and despite having no technical background, with the explicit permission of several Verizon account holders, I was able to convince Verizon customer service to reset an account password, giving me total control of a Verizon account. It was surprisingly easily done.

It took me only two downloads, copy and pasting some information from an email, and a few interactions with Verizon customer support. It was just a matter of following step-by-step instructions. In other words, if you can follow a recipe, you could have probably gotten a Verizon password reset.

First, I downloaded a particular old version of Firefox (20, in case you were wondering). Then I downloaded “X-Forwarded-For Header,” a simple Firefox extension that lets your browser impersonate an IP address of your choosing. I popped a Verizon user's IP address — which I gleaned from the header of an email sent to me by one of the volunteers who had given me permission to gain control of his account — into the extension.

I then navigated to the Verizon customer support page, which showed my location in another state — the state of the accounts I was using (with permission) to test this method. Although I work in New York, the page displayed my location as D.C. It also greeted me by name — but not my name, the name on the account.

There was further confirmation that I had fooled the site — the support page showed the make and name of each of the Verizon devices in the home of our test account:

View Entire List ›

Source link