Verizon Wireless on Friday fixed a glitch that for months let anyone go to its text-messaging website and retrieve lists of customers' cell-phone numbers and private text messages.
The software bug was discovered three months ago by ThreeZee Technology, a security research company in Bridgeton, New Jersey. The company said it tried to notify Verizon when it first discovered the glitch and even spoke with company representatives, but the bug remained. Verizon didn't fix the glitch until Wired News called for comment.
The glitch exposed the information like this: An exploiter would send a text message to the cell phone of a Verizon customer through Verizon's website. The site would then send a confirmation back. The confirmation message included a unique identification code. By altering one or two letters of that code and typing it back into the website, the exploiter could gain the telephone number of yet another customer. An experienced hacker could also use the code to retrieve text messages sent through the network.
For the past three months, ThreeZee researchers had been compiling Verizon customer information this way.
Verizon spokesman Jeffrey Nelson wouldn't acknowledge that the bug existed, nor deny it. He said, "We're always improving on our networks."
More-experienced hackers could automate the system to gain lists of cell-phone numbers -- a telemarketer's wet dream, said Mike Kristovich, a security researcher and co-founder of ThreeZee.
"It's just a missed line of code or a simple mistake in tracking," Kristovich said. "It's most likely a typo or a small mistake that shouldn't take any time to fix. I've talked to a lot of people over there in the last month. We've been tracking the status of this bug, but Verizon has not made any attempt to contact us."
Wired News called Verizon Thursday. On Friday the messaging service was changed so the confirmation code couldn't be exploited to get numbers or private text messages.
But now, legitimate users can't receive confirmation that their text message was sent to the right phone number. Instead, they receive a line of asterisks where the intended telephone number once existed.
"It's almost like saying, 'If you're getting spam on your phone, we'll just disable your ability to get text messages at all,'" said Alan Reiter, a Verizon Wireless customer and president of consulting company Wireless Internet & Mobile Computing. "Basically, Verizon has disabled a valuable service in order to fix a significant problem."
Reiter said the glitch could come back to haunt Verizon. Someone else out there could have noticed the bug and could have used it to harvest phone numbers for spamming purposes.
One billion text messages were sent over the Verizon network in the first six months of this year, according to the company. It is the largest cell-phone service provider, with about 33.3 million customers.
