Randy Westergren¹ figured out a way to hijack a Verizon FiOS account (FiOS is a bundled Internet, telephone, and TV service)
Randy was doing research into a vulnerability of compromised email accounts for the FiOS app, and found a problem with the reset my password method on the Verizon website.
With a few computer tricks (if interested check details on his site) he was able to hijack an email account.
Before we all get excited he worked with Verizon from October of 2014 until October of 2015 and until final fix November 3rd. So this problem is now fixed.
Here is the pictoral representation of the hijack hack.
Why would I post about a fixed issue?
Think about it Verizon never tested this, and even after told about it took 1 year and a month to finally fix it. How many accounts were falsely taken by enterprising Criminal hackers with Billion dollar² warchests?
Verizon has opened a new website here http://www.verizonwireless.com/landingpages/report-security-vulnerability/
Or email Verizon Security directly: CorporateSecurity@verizonwireless.com.
My problem with corporate methods decisions are not fast enough. The decisions of the corporate heads require proof and a project and a champion in the department and X and Y and Z. In other words it will take a year or more to fix the problem because we are not ready.
How many other companies are in the same boat? Do we really have to get our email accounts hacked FIRST?
It is high time that the Directors, CIO, CTO, CEOs of all technology companies improve the Cybersecurity of their operation by setting up a test regime that is second to none. It is not enough to create a website that takes customer suggestions of impropriety.
The people with the most to lose (All the CxO’s) should know exactly how much of an effort there is to test the heck out of the technology that is online right now.
Contact Me to discuss