Verizon left security researcher hanging while reported URL hack revealed subscribers' texting history (updated)
Long wait times and a complete lack of transparency -- no, this isn't a story about a typical call to Verizon customer support. It's what happened when a security researcher discovered a critical privacy vulnerability on Verizon's consumer site and tried, nearly in vain, to get it patched. Back in August, researcher PRVSEC found that a simple URL exploit could allow any subscriber using the site's 'Download to SpreadSheet' function to access any other user's texting history. The hack required nothing more than swapping a subscriber's cell number into the code to view information like date, time, sendee and message status -- actual contents of the SMS or MMS sent could not be accessed.
It took Verizon more than a month from the time PRVSEC submitted the initial report to bring the case to a complete resolution and close the exploit, and an additional month to make the issue public. That the issue was even addressed in the first place is somewhat of a personal victory for PRVSEC, as Verizon's site doesn't offer any direct contact info to report vulnerabilities. PRVSEC was only able to bring the URL exploit to Verizon's attention though a LinkedIn contact. Verizon has since created a dedicated email contact, CorporateSecurity@verizonwireless.com, to field these security issues, but the company's overall slow response time, inaccessibility and lack of transparency should give its subscribers cause for concern. We've reached out to Verizon for comment on the matter and will update should we hear back.
Update: A Verizon rep responded to our request for comment saying, "[We] take customer privacy very seriously, and we addressed this issue as soon as our security teams were made aware of it. Customer information was not impacted. "