Verizon made headlines this week with the surprise $4.4 billion acquisition of AOL, but a new report from BuzzFeed reveals that a major security flaw could have made this a much more challenging week for the telecommunications giant.
According to the report, BuzzFeed received a tip from current chief information security officer at Cinder (and former hacker) Eric Taylor last week that a vulnerability in Verizon’s system made it easier than ever to gain access to the personal information of Verizon Internet customers with little more than a browser plug-in and a few phone calls to customer support.
The flaw has since been patched (as BuzzFeed alerted Verizon before publishing its report), but this description demonstrates just how easy it was to gain access to another user’s account, providing you were willing to take the time to do so:
The vulnerability existed because Verizon’s customer support website identifies you through your computer’s IP address. Since this address is generated by your internet service provider, what it’s really looking for is if you’re hitting its page with an IP address that Verizon recognizes. Because those IP addresses are unique to each home internet customer, when it sees one it recognizes, it assumes it knows who you are, and until we informed Verizon of the flaw, it automatically displayed things like your location, your name, your phone number, and your email address. And that’s really all you need to take control of a Verizon account.
BuzzFeed’s Joseph Bernstein was able to take control of several users’ accounts within hours of receiving the tip from Taylor. The entire process consisted of “two downloads, copy and pasting some information from an email, and a few interactions with Verizon customer support.”
For any Verizon customers out there that are now feeling incredibly anxious that their information might be floating around the web, it’s worth noting that the report has since been updated to include the following statement from Verizon:
“We have no reason to believe that any customers were impacted by this, other than those who’s information was used by Buzzfeed. If we discover that any were, we will contact them directly.”
That’s great news, but as BuzzFeed points out in another update, the flaw appears to have been in place since April 22nd, and there’s no telling how much damage could have been done if a more nefarious group had discovered it before Taylor. And now this is going to become an inseparable part of the discussion surrounding Verizon’s continued growth.