A vulnerability in a Verizon website has put customers at risk of SIM spoofing.
Cybersecurity researcher Joseph Harris discovered a way for Verizon customers' PINs to be picked up online, potentially gaining the ability to compromise user accounts.
The problem was that Verizon's web site did not limit the number of simultaneous PIN requests, and only recorded one attempt. Many sites are set up to block such password guessing attempts after several incorrect requests. In this case, however, the hackers may have had unlimited options.
"Using this single page, I could reveal any Verizon customer account number and also access the PIN. That's a pretty serious mistake," the expert explained to Motherboard.
According to Harris, an attacker could use a customer's PIN to request a SIM card change. The attack, called SIM-swapping (SIM swapping), allows a hacker to redirect text messages to himself or herself in order to hack into other accounts. Attackers could also add a new phone number to the target's account or read the user's text messages.
"The race condition could have allowed me to gain control of the Verizon account. It was possible to view messages on vtext.com," Harris added.
Harris uploaded a video to YouTube showing PoC code to exploit the vulnerability. The researcher reported the problem to Verizon, and the company disabled the vulnerable pages.
Cybersecurity researcher Joseph Harris discovered a way for Verizon customers' PINs to be picked up online, potentially gaining the ability to compromise user accounts.
The problem was that Verizon's web site did not limit the number of simultaneous PIN requests, and only recorded one attempt. Many sites are set up to block such password guessing attempts after several incorrect requests. In this case, however, the hackers may have had unlimited options.
"Using this single page, I could reveal any Verizon customer account number and also access the PIN. That's a pretty serious mistake," the expert explained to Motherboard.
According to Harris, an attacker could use a customer's PIN to request a SIM card change. The attack, called SIM-swapping (SIM swapping), allows a hacker to redirect text messages to himself or herself in order to hack into other accounts. Attackers could also add a new phone number to the target's account or read the user's text messages.
"The race condition could have allowed me to gain control of the Verizon account. It was possible to view messages on vtext.com," Harris added.
Harris uploaded a video to YouTube showing PoC code to exploit the vulnerability. The researcher reported the problem to Verizon, and the company disabled the vulnerable pages.
