An independent security researcher discovered a way to brute force Verizon PINs online, meaning they could potentially break into Verizon customer accounts. In response, Verizon has taken the impacted web pages offline.
The issue revolved around the fact that Verizon’s website was built in such a way that the researcher could enter many concurrent requests to guess a target’s PIN at the same time, but Verizon’s website would only register one attempt. Many websites are designed to block a person’s computer or temporarily lock an account if someone tries to guess a passcode and enters multiple incorrect attempts in a row. But here, a hacker can essentially tip the chances in their favor by having many more guesses at once without the site stopping them.
“Using this one page I can expose any Verizon [customer] account number as well as retrieve any customer’s PIN. Pretty powerful bug,” the researcher who discovered the issue Joseph Harris, also known as Doc, told Motherboard in an online chat.
This issue is known as a race condition; Microsoft faced a similar issue in March when a researcher demonstrated it would be possible to brute force PINs for Microsoft accounts.
Armed with a customer’s PIN number, an attacker could have requested a change of SIM card, Harris said. Known as SIM swapping, this is an attack where hackers can redirect text messages to themselves to then break into other accounts. Harris said they could also add a new phone number to the target’s account or read a user's text messages.
“The race condition could of [sic] allowed me to take over a Verizon wireless account as well. You can see texts via vtext.com,” Harris added.
Do you know about any other security issues at telecommunications companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Harris uploaded a video to YouTube of a proof-of-concept of the attack to YouTube to demonstrate the issue to Motherboard and Verizon itself. After uploading the clip, Harris received interest from apparent SIM swappers who wanted more information on the technique.
“Hey, this is incredible. Is there any place I could contact you? Wickr/Wire/Discord,” one person wrote in a YouTube comment, according to a screenshot shared by Harris. Harris then temporarily removed the video.
Harris says they reported the issue to Verizon. After Motherboard asked Verizon for comment, an employee from Verizon’s security team emailed Motherboard for more information. Verizon later addressed the issue by essentially taking down the pages Harris used to demonstrate the attack.
“The vulnerability has been mitigated. We truly appreciate this being brought to our attention,” Vincent Devine, Manager-Security Risk Management at Verizon told Motherboard in an email.