Verizon Patches Security Flaw That Could Have Affected Millions

The vulnerability reportedly required only a simple browser plug-in and an older version of Firefox to let an attacker hijack a Verizon customer's Internet account.

Verizon, security vulnerability, Internet, home accounts

Verizon patched an online security vulnerability that could have allowed attackers to take control of some 9 million customers' home Internet accounts.

The flaw was repaired in a few hours, according to Verizon, after the company was advised of the problem by the chief security officer of mobile wallet app vendor, Cinder—who, along with a student at a Maryland college, discovered it, according to a May 13 report by Buzzfeed.

The vulnerability could have allowed anyone to view the personal information of Verizon home Internet customers by going to the Website using a spoofed IP address, according to the report. The vulnerability existed because Verizon's customer support Website identifies customers through their computers' IP address, and since that is unique to each home Internet customer, an attacker could have identified an individual customer. Using the IP address, an attacker could then potentially have displayed a user's location, name, phone number and email address, the story said.

A Verizon spokesman told MarketWatch on May 14 that the company has "no reason to believe that any customers were impacted by this." If any customers are found to have been attacked through the flaw, the company said it will contact those customers.

The security issue was caused by a coding error in a software update on April 22, Verizon explained to MarketWatch. Given the brief period between the discovery of the vulnerability and its repair, the company said it believes there is a low probability of impacts on customers.

In April, Verizon released its annual study of security breach activities in the United States and found that there has been little change in the overall threat landscape since 2014, according to an earlier eWEEK report.

The company's 2015 Data Breach Investigations Report (DBIR) received data from 79,790 security events, of which 2,122 were confirmed data breaches. In contrast, the 2014 report was based on data on 63,437 security incidents, of which 1,367 were confirmed data breaches.

As was the case in the 2014 report, Verizon has identified nine basic attack patterns into which nearly all attacks can be categorized: point-of-sale (POS) intrusions, Web application attacks, insider misuse, theft and loss, miscellaneous errors, crimeware, payment-card skimmers, denial-of-service attacks and cyber-espionage.

Interestingly, mobile platforms are not the preferred vectors for attacks, the report stated.

Verizon's analysis also shows that not every vulnerability that is found is exploited. There are some 67,567 vulnerabilities with a CVE (Common Vulnerabilities and Exposures) designation, but only 792 of them were exploited in 2014.

When organizations are exploited, the cost of the data breach varies by a wide range—based, in part, on the number of records stolen, the report said. A million-record loss can range from a low of $57,600 all the way up to $27.5 million.