Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Verizon Hum Leaking Credentials

Image: Photo by Nahel Abdul Hadi on Unsplash

or, Christmas Infosec Insanity…

A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected.

Near the top is a large block of JSON assigned to an otherwise unused variable named phpvars – included was some validation code, a number of URLs, some HTML, and the like. After seeing the first element, isDeveloperMode, I was sure this was worth a closer look.

A few lines in, I ran across something that I would have never expected from a company like Verizon:

{
  ...
  "verizonApi":{
    "rest":{
      "source_name":"ss",
      "organization":"Tech",
      "region":"US",
      "application_name":"VV",
      "default_timeout":"15000",
      "integration_id":"12345",
      "order_type":"NEW_VV",
      "channel_name":"Online",
      "debug":"1"
    },
    "soap":{
      "username":"vv_aia_integration_user",
      "password":"Weblogic12"
    },
    "calculate_tax":{
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/TaxCalculation\/products\/tax\/totalAmount",
      "behavior":"call_api"
    },
    "catalog_sync_promotion_detail":{
      "external_url":"http:\/\/atlspare05xd.hughestelematics.net:8011\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "timeout":"60000",
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "behavior":"call_api"
    },
    ...
  }
}

Username, password. Embedded in JavaScript. Seriously.

In the JSON, there are several API endpoints listed, from a variety of domains (only one of which is publicly resolvable):

  • osb-bss-vv.vtitel.net
  • atlspare05xd.hughestelematics.net:8011
  • shopping.hum.com

If any of these endpoints would allow an outside attacker to gather private data, I couldn’t say.

There are a few things about this that really surprise me:

  • How did Verizon allow this to go live?
  • Why aren’t they doing any type of post-deployment testing?
  • Weblogic12 – Seriously? Is that really an acceptable password?

The use of stolen and/or misused credentials (user name/passwords) continues to be the No. 1 way to gain access to information. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication. – Verizon Data Breach Investigations Report

I’ve reached out to Verizon via Twitter to ensure that they are aware that this information is being leaked. I attempted to email both [email protected] and [email protected] – neither of which are valid addresses (another surprise from a company that should have a clue).

Adam Caudill

Related Posts