Bugtraq mailing list archives
RE: verizon wireless website gaping privacy holes
From: Jeff Carnahan <tails () yahoo com>
Date: Sun, 2 Sep 2001 23:36:14 -0700 (PDT)
} I tried random session IDs and they gave similar results, except the } minutes used changed, and so did the phone } number. I think this is a major problem myself. Phone numbers could } be gathered for marketting etc etc. } In addition to the exposed cellular numbers and usage information, the session ID also yeilds the user's account/login name. Using a URL similar to the one provided earlier, again taking advantage of the sequential nature of the session ID code, you should look at the URL being used to load the pop-up windows. It contains a parameter "p_userid" set to what appears to be the login/username of the subscribers account. Different session id's yeild different usernames, some include the zip code of the subscriber which allows them to be easily located in conjunction with the telephone number revealed in the "View my recent usage" section. Also included in the URL is the users verizon account number, market information, & session timeout date... One session ID produced the message: DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN PROCESS: ACOPT07H GETUSGA INTERNET08448771 2001/245 23:20:53 The spacing is exactly as it appeared. Perhaps this will sound the alarm to Verizon that they have a serious problem. -- Jeff C. __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com
Current thread:
- verizon wireless website gaping privacy holes Marc Slemko (Sep 02)
- Re: verizon wireless website gaping privacy holes Gareth Owen (Sep 02)
- Re: verizon wireless website gaping privacy holes Steve Shockley (Sep 03)
- Re: verizon wireless website gaping privacy holes Russell Handorf (Sep 03)
- Re: verizon wireless website gaping privacy holes Mark Parry (Sep 03)
- Re: verizon wireless website gaping privacy holes Kevin Fu (Sep 04)
- <Possible follow-ups>
- RE: verizon wireless website gaping privacy holes Jeff Carnahan (Sep 03)
- Re: verizon wireless website gaping privacy holes Gareth Owen (Sep 02)