After Verizon purchased AOL on Tuesday, May 13 for $4.4 billion, the network may already have gotten off to a rough start in the public eye.
BuzzFeed reported a vulnerability in Verizon's website that has existed on the site for weeks, which could have put 9 million of its existing internet users at risk of theft.
Thanks to a tip, BuzzFeed discovered that an error in the telecom's site, which provides services such as email to subscribers, allowed for easy access into any Verizon internet user's personal info.
Verizon has since remedied the issue, explaining it was a coding error that caused the soft spot. Regardless of the damage done, the potential for hacking millions of users' accounts raises a lot of red flags for the company and its customers. And, to make matters worse, exploiting this bug was exceptionally easy – that is, before it was squashed.
The hack
BuzzFeed's Joseph Bernstein detailed how he was able to obtain multiple Verizon accounts (with permissions of course) using a frighteningly simple formula.
By simply finding a user's IP address, which can be seen in the email header sent by a Verizon internet customer, Bernstein was able to simply "spoof" the IP address with a Firefox extension called, "X-Forwarded-For Header", and camouflage his own address with the stolen one. Upon this simple duping of the system, Verizon showcases the unlucky victim's name, email address, location, and phone number, with no more confirmation than the right IP address.
Bernstein then was able to hop on the phone and schmooze with Verizon's customer support to convince them to reset his password, which he describes as "surprisingly easily done." This is because customer support recognizes its customers by their IP address.
Just like that, he was able to get into an account he had no attachments to; free to roam, steal and change whatever he wished.
Of course, BuzzFeed was interested in the safety of others, not their personal information. Regardless, the lapse in security raises some serious questions about the mega network. Had a malicious hacker discovered this, it would have been as simple as following a recipe to sift through a Verizon customers email for bank statements, social security and more.
Admittedly, this all would be less worrisome if it had been a Jesse James-style heist that left the system vulnerable. But it's the simplicity of the exploit that is a stark reminder of the precarious nature of web security.
The company told BuzzFeed in a statement that it has "no reason to believe that any customers were impacted by this," while the bug existed. Unfortunately for Verizon's 9 million home internet customers, they'll have to take their word on it.
