Hacker News new | past | comments | ask | show | jobs | submit login
Critical Vulnerability in Verizon Mobile API Compromising User Email Accounts (randywestergren.com)
78 points by rwestergren on Jan 18, 2015 | hide | past | favorite | 16 comments



Can't be mad at the speed and outcome of the response. I'm sure they would have preferred the incident not be published at all...

In any case, we've all had "oh shit!" moments before. I'd love to think this would be a wake up call about quality control, but Verizon is just so freakin' big, that I can't imagine the number of vendors that have contributed to the amount of code Verizon is running at any given time. I can't imagine the chore of vetting it all at delivery time, let alone having to go back now, realizing how bad that bug was and assuming other sloppiness likely exists.


There are security issues, and then there is this.

Not doing authentication on some things isn't a "oh shit" moment, it's a "we're doing all of this very wrong" moment.


> Not doing authentication on some things isn't a "oh shit" moment, it's a "we're doing all of this very wrong" moment.

Then again it's all over HTTP so that was off to a bad start.


Or as Dropbox showed, it really is just a moment, with no real enduring impact.


And that's the problem in the industry. Unless you close up shop, a breech doesn't really impact your business that much. Linode, for example, had several security incidents where they did not tell their customers in any reasonable time, or in some cases, lied to their customers until they were forced to tell the truth. After one such incident where card numbers were reportedly stolen (but Linode said they weren't), I closed my account, cancelled the card I was using, and moved to DigitalOcean. And whenever I mention this, I get a hundred people saying "Linode is awesome and all of that was in the past!". I don't care. They screwed me over multiple times, were dishonest with me as a paying customer, and proved to me they can not be trusted. Sorry Sony. You get breached once, I might forgive you. You get breached twice, you're doing something wrong. You get breached again and again, you no longer exist in my mind.

Security is not a game, and it's not an afterthought. But some days it seems I am the only person who feels that way. I still don't shop at Target or Home Depot. They need to feel the impact of their business decisions, instead of putting the cost of security onto their customers or the customer's bank.


Just as another datapoint, I used to keep a couple of virtual machines at Linode.

After seeing how they acted after their security breaches, I left for DigitalOcean. I've also recommended DO over Linode to other people for that reason.

I should note it wasn't the fact they had a security incident, that happens. It was the way they 'communicated' it.


I think there should be a "Fixed" in the title.

The question now becomes, for how long was this vulnerability known and exploited secretly?


I'm not generally a fan of Verizon as a corporation, but they deserve kudos for fixing the issue quickly and rewarding the OP for reporting it! This should be the norm. Too many nightmare stories of companies prosecuting users who find and report vulnerabilities.


I don't think that having two days between the contact and the fix is acceptable for something as crucial as reading anyone's e-mail. I wish they had locked down access while investigating the bug once they confirmed it (which should have taken minutes). Leaving such access open for any time after knowing about it is grossly irresponsible in my eyes.


Ditto, on the view of Verizon as a corporation. That said their security team is filled with a lot of good people.


When I stumbled across a Verizon Wireless security problem last year, their security team was the silver lining in what was otherwise a terrible experience.

(I was a bit disappointed that it took so long to find that team -- only found them through unrelated news stories asking the public to report any signs of infrastructure sabotage during a labor negotiation breakdown.)

They ultimately weren't able to help me, and I had to resort to other more drastic means to reach the right people.

It's really difficult and nerve-racking to have to deal with this type of run-around under the threat of possible prosecution.


Really glad this ended well for the OP and not with a prosecution for violating the Computer Fraud & Abuse act (something I was deathly scared of last year when testing Virgin Mobile's ability to brute force logins).


And it's all over HTTP, too? Wow... that's mighty disappointing.


HTTPS makes Verizon sad - they can't MITM modify your requests, etc.

So I don't imagine they care too much about HTTPS for their own services either.


Though there are smart people at Verizon, much of their software is outsourced with limited oversight. I once interviewed for what I thought was a dev position but at the end of the interview them tried to slide in that I was really going to be "managing" the outsourced team and would not be allowed to write anything myself. I said no.


How one can be that stupid to use params[:username] instead of secure session cookie? It's like sending -100 dollars with paypal




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: