
Critical Vulnerability in Verizon Mobile API Compromising User Email Accounts - rwestergren
http://randywestergren.com/critical-vulnerability-verizon-mobile-api-compromising-user-email-accounts/
======
themartorana
Can't be mad at the speed and outcome of the response. I'm sure they would
have preferred the incident not be published at all...

In any case, we've all had "oh shit!" moments before. I'd love to think this
would be a wake up call about quality control, but Verizon is just so freakin'
big, that I can't imagine the number of vendors that have contributed to the
amount of code Verizon is running at any given time. I can't imagine the chore
of vetting it all at delivery time, let alone having to go back now, realizing
how bad that bug was and assuming other sloppiness likely exists.

~~~
revelation
There are security issues, and then there is this.

Not doing authentication _on some things_ isn't a "oh shit" moment, it's a
"we're doing all of this very wrong" moment.

~~~
MichaelGG
Or as Dropbox showed, it really is just a _moment_ , with no real enduring
impact.

~~~
freehunter
And that's the problem in the industry. Unless you close up shop, a breech
doesn't really impact your business that much. Linode, for example, had
several security incidents where they did not tell their customers in any
reasonable time, or in some cases, lied to their customers until they were
forced to tell the truth. After one such incident where card numbers were
reportedly stolen (but Linode said they weren't), I closed my account,
cancelled the card I was using, and moved to DigitalOcean. And whenever I
mention this, I get a hundred people saying "Linode is awesome and all of that
was in the past!". I don't care. They screwed me over multiple times, were
dishonest with me as a paying customer, and proved to me they can not be
trusted. Sorry Sony. You get breached once, I might forgive you. You get
breached twice, you're doing something wrong. You get breached again and
again, you no longer exist in my mind.

Security is not a game, and it's not an afterthought. But some days it seems I
am the only person who feels that way. I still don't shop at Target or Home
Depot. They need to feel the impact of their business decisions, instead of
putting the cost of security onto their customers or the customer's bank.

~~~
super_sloth
Just as another datapoint, I used to keep a couple of virtual machines at
Linode.

After seeing how they acted after their security breaches, I left for
DigitalOcean. I've also recommended DO over Linode to other people for that
reason.

I should note it wasn't the fact they had a security incident, that happens.
It was the way they 'communicated' it.

------
cauterized
I'm not generally a fan of Verizon as a corporation, but they deserve kudos
for fixing the issue quickly and rewarding the OP for reporting it! This
should be the norm. Too many nightmare stories of companies prosecuting users
who find and report vulnerabilities.

~~~
_nullandnull_
Ditto, on the view of Verizon as a corporation. That said their security team
is filled with a lot of good people.

~~~
oasisbob
When I stumbled across a Verizon Wireless security problem last year, their
security team was the silver lining in what was otherwise a terrible
experience.

(I was a bit disappointed that it took so long to find that team -- only found
them through unrelated news stories asking the public to report any signs of
infrastructure sabotage during a labor negotiation breakdown.)

They ultimately weren't able to help me, and I had to resort to other more
drastic means to reach the right people.

It's really difficult and nerve-racking to have to deal with this type of run-
around under the threat of possible prosecution.

------
kevinburke
Really glad this ended well for the OP and not with a prosecution for
violating the Computer Fraud & Abuse act (something I was deathly scared of
last year when testing Virgin Mobile's ability to brute force logins).

------
jmgrosen
And it's all over HTTP, too? Wow... that's mighty disappointing.

~~~
themartorana
HTTPS makes Verizon sad - they can't MITM modify your requests, etc.

So I don't imagine they care too much about HTTPS for their own services
either.

------
coldcode
Though there are smart people at Verizon, much of their software is outsourced
with limited oversight. I once interviewed for what I thought was a dev
position but at the end of the interview them tried to slide in that I was
really going to be "managing" the outsourced team and would not be allowed to
write anything myself. I said no.

------
homakov
How one can be that stupid to use params[:username] instead of secure session
cookie? It's like sending -100 dollars with paypal

