Verizon Hum Leaking Credentials

Image: Photo by Nahel Abdul Hadi on Unsplash

or, Christmas Infosec Insanity…

A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected.

Near the top is a large block of JSON assigned to an otherwise unused variable named phpvars – included was some validation code, a number of URLs, some HTML, and the like. After seeing the first element, isDeveloperMode, I was sure this was worth a closer look.

A few lines in, I ran across something that I would have never expected from a company like Verizon:

{
  ...
  "verizonApi":{
    "rest":{
      "source_name":"ss",
      "organization":"Tech",
      "region":"US",
      "application_name":"VV",
      "default_timeout":"15000",
      "integration_id":"12345",
      "order_type":"NEW_VV",
      "channel_name":"Online",
      "debug":"1"
    },
    "soap":{
      "username":"vv_aia_integration_user",
      "password":"Weblogic12"
    },
    "calculate_tax":{
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/TaxCalculation\/products\/tax\/totalAmount",
      "behavior":"call_api"
    },
    "catalog_sync_promotion_detail":{
      "external_url":"http:\/\/atlspare05xd.hughestelematics.net:8011\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "timeout":"60000",
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "behavior":"call_api"
    },
    ...
  }
}

Username, password. Embedded in JavaScript. Seriously.

In the JSON, there are several API endpoints listed, from a variety of domains (only one of which is publicly resolvable):

osb-bss-vv.vtitel.net
atlspare05xd.hughestelematics.net:8011
shopping.hum.com

If any of these endpoints would allow an outside attacker to gather private data, I couldn’t say.

There are a few things about this that really surprise me:

How did Verizon allow this to go live?
Why aren’t they doing any type of post-deployment testing?
Weblogic12 – Seriously? Is that really an acceptable password?

The use of stolen and/or misused credentials (user name/passwords) continues to be the No. 1 way to gain access to information. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication. – Verizon Data Breach Investigations Report

I’ve reached out to Verizon via Twitter to ensure that they are aware that this information is being leaked. I attempted to email both security@verizon.com and security@hum.com – neither of which are valid addresses (another surprise from a company that should have a clue).

Adam Caudill

Juniper, Backdoors, and Code Reviews

Researchers are still working to understand the impact of the Juniper incident – the details of how the VPN traffic decryption backdoor are still not fully understood. That such devastating backdoors could make it in to such a security-critical product, and remain for years undetected has shocked many (and pushed many others deeper into their cynicism). There are though, some questions that are far more important in the long run:

Snapchat: API & Security

Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues. Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well.

Generating Content Stats for Hugo

I recently became curious just how much time I had spent working on content for this site, which led me to an idea: it would be great to have a page that listed some useful data about the content, and how much effort was put into it. I had some hope that I could pull some of this directly out of Hugo, though unfortunately it didn’t expose the information I wanted (and certainly not in an efficient way).

OPSEC, The NSA, and You

It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.

Where’s the service?

When I buy something, I expect support. When I buy something expensive, I expect really good support. That may be asking too much, but that’s just how I think. Now, when I contact the vendor for support, I expect to talk to somebody that understands the product. When I bring up an issue that gets me on a conference call with a Vice President and a Project Manager, I expect them to give me accurate data.