Hacking the call records of millions of Americans

7 months ago (evanconnelly.github.io)

> So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.

Yikes. Seems like a pretty massive oversight by Verizon. I wish in situations like this there was some responsibility of the company at fault to provide information about if anyone else had used and abused this vector before it was responsibly disclosed.

> The Verizon Call Filter app uses the endpoint hxxps://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to lookup call history for the authenticated user and display it in the app.

Have you ever seen a more internal-looking domain name?

  • It does look very internal, but the root domain name is more comprehensible than it might appear.

    Cequint is a company that provides caller ID services. "Vz" is short for Verizon. "Cid" is short for caller ID. That only leaves "we", which probably refers to either "wireless" or "web" in some way, e.g. wireless/web "edge" or "endpoint".

    The domain is therefore the Cequint Verizon Wireless (Web?) Edge Caller ID endpoint.

    I don't know what clr or aqx are, though. (I assume CLR is not Microsoft's Common Language Runtime, but I suppose it could be. I know at least one company that likes to name services after the technology used to implement them.)

I am hoping they paid a bounty for this (> 20k). Otherwise doing the right thing isn't right in my opinion. Their MBAs will not see a lesson to be learned, but something that is to be swept under the rug

Crazy that this is possible at such a giant like Verizon. But it seems to happen more often than before.

  • It's more possible at giants, IMO. Level of technical competence/excellence tends to be inversely proportional to company size. FAANG might be exceptions, but IMO large companies (like big banks, etc) have a lot of hidden technical incompetence you can't see.

    • A major goal of the complex computing infrastructure at large orgs is to wall off the ignorance and/or incompetence to contain, mitigate, or prevent its consequences.

      (Note that "ignorance" is not pejorative here: not everyone can know everything.)

  • Start the big fines and criminal investigations and itll be fixed tomorrow.

    • I have a feeling that ever since late January 2025 in the U.S., oversight and regulatory overview might be more lax than in the past, and there will less of those "pesky" fines and criminal investigations...which begs the question: will 2025 be the year of increased negligent and/or nefarious behavior - both from corporate entities as well as hackers?

      ...I gotta go take a walk near some nature and flowers, because i just depressed myself with my comment. :-(

      5 replies →

Where was the pen testing?

Who is charge of security over there?

There need to be some answers, this is such an obvious and easily exploited security hole we need to ask what else is leaking from them?

Good that they fixed it quickly.

  • A bug bounty might be viewed as a 24/7 pentest conducted by everyone in the world willing to work for the bounty price.

    While you're waiting a few days for steve to get back from vacation and approve the PO for a pentesting contract, everyone else in the world is already pentesting your systems anyways.

    Doesn't look like Verizon has bug bounties, so I guess we're lucky that the person who found this one was willing to work for free.

Call logs are printed on every billing statement by default. I believe it may even include SMS messages in some cases.

This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.

That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.

  • A while ago I worked on a system handling call records for a large telco. Call records were considered sensitive information at that company, and distributed only where definitely needed. I'm sure security wasn't bulletproof, but there were regular audits to check that employees and contractors didn't store records in places they weren't supposed to.

    One of the main functions of the system that I worked on was to create various anonymous and/or aggregated versions of the data, which could be distributed and used more widely (for stuff like fraud detection, network provisioning, marketing...).

>I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted

Seems like the problem could be even bigger than described

i have always wondered something about this kind of hacking. How do you guys come up with these ideas. Should I download the top 100 apps from the AppStore or Playstore and try to reverse them or introspect their requests and see if I hit a jackpot. Perhaps I can report a bug bounty and maybe score some credit from the company to whom the app belongs. There are millions of apps across both stores. Perhaps find a way to introspect all of them? No seriously, do you do this full time. Is ethical hacking your job or how does this work? How do you randomly go about finding stuff that nobody has found out before

  • when you're reverse engineering a web API used by an app (I've done this for personal integrations and automations) via MITMProxy and/or a device emulator, sometimes API calls show up that make you go "hmmm"

    > There are millions of apps across both stores. Perhaps find a way to introspect all of them?

    I would be surprised if this method wasn't also being employed, if not by individual hackers, then in the form of growth hacking by companies who sell a means of fixing it.

    Still seems like something fun to try.

  • Sometimes you are their customer and have the ability to verify your own data security.

    Normally those companies need an intervention from an authority to do something about it though.

    Source: Personal experience.

it's odd that this is called "hacking" as there is no formal procedure or rules around granting access to phone records, and the huge number of "scandles" involving the abuse of phone records and the open use in tracking phones for assasination of foreign nationals cant be done without the casual access to all phone records, so there can be no doubts about an ongoing situation that continiously violates everyones right to private comunication. the headline is best described as a test of complacency. why bother?

How isn't this the breaking news story of this and future weeks to come? The government likes to spread a lot of FUD about how foreign nation states can interfere with citizens, but when there is an actual vulnerability in such corporate turds as Verizon that actually allows the foreign nation to spy on you, nobody in the media bats an eye.

Of course, the answer is that the corporations own both Congress and the media.

How did he intercept what API calls a mobile app was making?

  • Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.

    • In addition, there are TLS downgrade attacks that can trick a client into using SSL or a less secure cipher suite. Clients (and servers) can also prevent this, but it’s the classic long tail of vulns where it may mean blocking older clients, which might include third parties or abandoned automation.