hacker. False information. Surveillance. CYBER is a podcast on Motherboard, covering the dark side of the Internet.
An independent security researcher discovered a way to brute force Verizon PINs online, which means that they may hack into Verizon customer accounts. In response, Verizon has taken the affected web pages offline.
The problem revolves around the fact that the Verizon website is constructed so that researchers can enter many concurrent requests at the same time to guess the target’s PIN, but the Verizon website will only register for one attempt. Many websites are designed to block someone’s computer or temporarily lock the account when someone tries to guess a password and enters it incorrectly for multiple consecutive attempts. But here, hackers can basically make opportunities to their advantage by making more guesses at once without the site stopping them.
“Using this page, I can publish any Verizon [customer] Account number and retrieve any customer’s PIN. Very powerful mistake,” Joseph Harris, also known as Doc, the researcher who discovered the problem, told Motherboard in an online chat.
This problem is called a race condition; Microsoft encountered a similar problem in March When the researcher proves that a PIN can be enforced for a Microsoft account.
Harris said that with the customer’s PIN code, an attacker can request a replacement SIM card. Called SIM swap, this is an attack where hackers can redirect text messages to themselves and then break into other accounts. Harris said they can also add a new phone number to the target account or read the user’s text messages.
“The race conditions may be [sic] It also allows me to take over the Verizon wireless account. You can view the text through vtext.com,” Harris added.
Do you know other security issues of telecommunications companies? We would be happy to hear from you. Using a non-work phone or computer, you can securely contact Joseph Cox via Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, Or email joseph.cox@vice.com.
Harris uploaded a video to YouTube showing the proof of concept of the attack to demonstrate the problem to the motherboard and Verizon itself. After uploading the clip, Harris received obvious interest from SIM swappers who wanted more information about the technology.
“Hey, this is incredible. Is there any place to contact you? Wickr/Wire/Discord,” one person wrote in a YouTube comment based on a screenshot shared by Harris. Harris then temporarily deleted the video.
Harris said they reported the problem to Verizon. After Motherboard asked Verizon to comment, an employee of the Verizon security team emailed Motherboard with more information. Verizon later solved this problem by deleting the page Harris used to demonstrate the attack.
“The vulnerability has been mitigated. We are very grateful for bringing our attention,” Verizon Security Risk Management Manager Vincent Devine told Motherboard in an email.
Subscribe to our cybersecurity podcast, The internet. Subscribe Our new Twitch channel.
