Security Expert Discovers Simple Way To Hack Into Verizon ISP Accounts

Security researcher Eric Taylor (hacking alias – Cosmo the God) and Blake Welsh, a student at Anne Arundel Community College in Maryland, had found a simple way to access Verizon user accounts by mixing some social engineering tactics with spoofed IP addresses.

The vulnerability existed because Verizon’s customer support website identifies users through their computer’s IP addresses. When a user visits the customer support page, it recognizes the IP address and displays the location, name, phone number, and email address – that’s all you need to take control of a Verizon account.

HOW ?

First, he downloaded an old version of Firefox and then downloaded a simple Firefox extension called “X-Forwarded-For Header” to spoof the IP address. Then, he added a valid Verizon user’s IP address (target) into that extension.

He clicked on the option for a live chat with a Verizon customer service rep and requested a password reset.

Taylor said, “In order to get a reset when someone has set a PIN, Verizon customer support requires either that number, the amount of the most recent payment, or access to the phone listed on the account; Verizon will call customers at that number with their PIN. None of these were listed in the source code, and I obviously didn’t have access to the account phone”

“So I called back, and asked for the amount of my last payment, claiming to be balancing my checkbook. Verizon happily gave it to me. Now armed with one of the requisite pieces of verification information, I called back a third time and got a friendly rep to reset the password. We were able to successfully repeat this procedure on demand.” he added.

After fixing the vulnerability, Verizon spokesperson Alberto Canal wrote, “We have no reason to believe that any customers were impacted by this, other than those who’s information was used by Buzzfeed. If we discover that any were, we will contact them directly.”