2 Years of Service
70%
Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user.
Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser.
This capability wasn’t a hypothetical.
I recently identified a security vulnerability in the
which made it possible for an attacker to leak call history logs of Verizon Wireless customers.
Call logs can be quite valuable, especially for nation states, as recently noted in coverage of the Salt Typhoon breach of telecom networks:
Given that this data is of such value, you’d expect that both how it’s accessed, and who is given access would be closely guarded. However, as I found, this may not be the case.
So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.
In short, anyone could lookup data for anyone.
This is of course a privacy concern for all. But for some this could also represent a safety concern.
continue reading at :
Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser.
This capability wasn’t a hypothetical.
I recently identified a security vulnerability in the
This link is hidden for visitors. Please Log in or register now.
Call logs can be quite valuable, especially for nation states, as recently noted in coverage of the Salt Typhoon breach of telecom networks:
This link is hidden for visitors. Please Log in or register now.
Given that this data is of such value, you’d expect that both how it’s accessed, and who is given access would be closely guarded. However, as I found, this may not be the case.
High level overview:
In order to display your recent history of received calls in the Verizon Call Filter app, a network request is made to a server. That request contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps for each.So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.
In short, anyone could lookup data for anyone.
This is of course a privacy concern for all. But for some this could also represent a safety concern.
continue reading at :
This link is hidden for visitors. Please Log in or register now.