Verizon says it has patched an information disclosure vulnerability identified by a researcher on the company’s Hum website.
Launched in August 2015, Hum is a Verizon product that allows users to add new technologies to their old cars, including vehicle diagnostics, roadside and emergency assistance, and stolen vehicle location features.
Independent security researcher Adam Caudill analyzed the Hum website and discovered that the source code of the “shopping” page included a username and the password “Weblogic12.” There were several domains listed in the code, but the expert noted that it wasn’t clear if an outside attacker could collect private data.
“There are a few things about this that really surprise me: 1) How did Verizon allow this to go live? 2) Why aren’t they doing any type of post-deployment testing? 3) Weblogic12 – Seriously? Is that really an acceptable password?,” Caudill said in a blog post.
The expert pointed to Verizon’s 2015 Data Breach Investigations Report (DBIR) which noted that the use of stolen and misused credentials continues to be the main method for accessing information, and two out of three breaches involve weak or stolen passwords.
Caudill said he attempted to report the issue to Verizon via Twitter and email, although the email addresses he used were not valid.
Verizon representatives told SecurityWeek that the vulnerability has been fixed and that customer information was not at risk.
"Verizon Telematics takes the security of our customers very seriously. The issue has been resolved, and we’re happy to report that no customer information was at risk,” Verizon said.
This was not the first time someone found vulnerabilities in Verizon software. In January, researcher Randy Westergren reported discovering a flaw that could have been leveraged by hackers to hijack the email accounts of Verizon customers by exploiting a vulnerability in the telecom giant’s fiber optic Internet, telephone and television service FiOS.
Thank you all for reading!
Source: HERE
Launched in August 2015, Hum is a Verizon product that allows users to add new technologies to their old cars, including vehicle diagnostics, roadside and emergency assistance, and stolen vehicle location features.
Independent security researcher Adam Caudill analyzed the Hum website and discovered that the source code of the “shopping” page included a username and the password “Weblogic12.” There were several domains listed in the code, but the expert noted that it wasn’t clear if an outside attacker could collect private data.
“There are a few things about this that really surprise me: 1) How did Verizon allow this to go live? 2) Why aren’t they doing any type of post-deployment testing? 3) Weblogic12 – Seriously? Is that really an acceptable password?,” Caudill said in a blog post.
The expert pointed to Verizon’s 2015 Data Breach Investigations Report (DBIR) which noted that the use of stolen and misused credentials continues to be the main method for accessing information, and two out of three breaches involve weak or stolen passwords.
Caudill said he attempted to report the issue to Verizon via Twitter and email, although the email addresses he used were not valid.
Verizon representatives told SecurityWeek that the vulnerability has been fixed and that customer information was not at risk.
"Verizon Telematics takes the security of our customers very seriously. The issue has been resolved, and we’re happy to report that no customer information was at risk,” Verizon said.
This was not the first time someone found vulnerabilities in Verizon software. In January, researcher Randy Westergren reported discovering a flaw that could have been leveraged by hackers to hijack the email accounts of Verizon customers by exploiting a vulnerability in the telecom giant’s fiber optic Internet, telephone and television service FiOS.
Thank you all for reading!
Source: HERE
