Simple Bug Exposed Verizon Users' SMS Histories 60
Trailrunner7 writes "A security researcher discovered a simple vulnerability in Verizon Wireless's Web-based customer portal that enabled anyone who knows a subscriber's phone number to download that user's SMS message history, including the numbers of the people he communicated with. The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn't want others to have access to his account information. 'I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn't want my account information to exposed in such way,' Collier said via email."
Re:How can it be? (Score:2, Insightful)
Users don't care about security. Everybody uses Whatsapp, that pile of shit with more holes than Swiss cheese. Functionality is more important than security. Time-to-market is more important than security. You can tell people that every call they make is recorded, every SMS datamined, every location tracked. They do not care, because it never hurts them. The privacy apocalypse just doesn't happen. If more than a very small number of people are ever negatively affected by a privacy breach, then the laws will be changed and remedies will be found. It simply does not pay to do it right. Most software never leaves prototype stadium. If it works, ship it. You know the saying: "There's never time to do it right, but there's always time to do it over."
Re:How can it be? (Score:5, Insightful)
Newsflash: big corps, health care providers, governments... have 1 competent and responsible employee for 100 hacks in their employ.
And you know what the worst thing is? Everybody thinks they're the 1 competent employee.
Re:How can it be? (Score:5, Insightful)
For average users, quite true. Non-average users, or ones that really want to keep their communications secret, also know that, and they don't use those services. That's why it makes so many people angry that the communications of masses of people are watched, probably 99.999% of the time totally unnecessarily. of course, there's the good old catch-22 as well, since if they wouldn't watch the common channels, criminals wouldn't need to find better ways to communicate. So, as always, the majority of innocent people get hassled for the hope that the lives of the few criminals become harder. Well, a false hope (you all know Newton's 3rd law, right?), but still a hope.