Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Verizon Hum Leaking Credentials

or, Christmas Infosec Insanity…

A friend mentioned Hum by Verizon, a product that I hadn’t heard of but quickly caught my attention – both from a “here’s a privacy nightmare” perspective, and “I might actually use that” perspective. While looking at the site, I decided to take a look at the source code for the shopping page – what I saw was rather unexpected.

Near the top is a large block of JSON assigned to an otherwise unused variable named phpvars – included was some validation code, a number of URLs, some HTML, and the like. After seeing the first element, isDeveloperMode, I was sure this was worth a closer look.

A few lines in, I ran across something that I would have never expected from a company like Verizon:

{
  ...
  "verizonApi":{
    "rest":{
      "source_name":"ss",
      "organization":"Tech",
      "region":"US",
      "application_name":"VV",
      "default_timeout":"15000",
      "integration_id":"12345",
      "order_type":"NEW_VV",
      "channel_name":"Online",
      "debug":"1"
    },
    "soap":{
      "username":"vv_aia_integration_user",
      "password":"Weblogic12"
    },
    "calculate_tax":{
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/TaxCalculation\/products\/tax\/totalAmount",
      "behavior":"call_api"
    },
    "catalog_sync_promotion_detail":{
      "external_url":"http:\/\/atlspare05xd.hughestelematics.net:8011\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "timeout":"60000",
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "behavior":"call_api"
    },
    ...
  }
}

Username, password. Embedded in JavaScript. Seriously.

In the JSON, there are several API endpoints listed, from a variety of domains (only one of which is publicly resolvable):

  • osb-bss-vv.vtitel.net
  • atlspare05xd.hughestelematics.net:8011
  • shopping.hum.com

If any of these endpoints would allow an outside attacker to gather private data, I couldn’t say.

There are a few things about this that really surprise me:

  • How did Verizon allow this to go live?
  • Why aren’t they doing any type of post-deployment testing?
  • Weblogic12 – Seriously? Is that really an acceptable password?

The use of stolen and/or misused credentials (user name/passwords) continues to be the No. 1 way to gain access to information. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication. – Verizon Data Breach Investigations Report

I’ve reached out to Verizon via Twitter to ensure that they are aware that this information is being leaked. I attempted to email both security@verizon.com and security@hum.com – neither of which are valid addresses (another surprise from a company that should have a clue).

Adam Caudill

Related Posts

  • Juniper, Backdoors, and Code Reviews

    Researchers are still working to understand the impact of the Juniper incident – the details of how the VPN traffic decryption backdoor are still not fully understood. That such devastating backdoors could make it in to such a security-critical product, and remain for years undetected has shocked many (and pushed many others deeper into their cynicism). There are though, some questions that are far more important in the long run:

  • Much ado about Juniper

    Since this was published, more detailed information has become available: analysis of the SSH backdoor, the VPN backdoor, and the cryptography of the VPN backdoor. If you want a more detailed understanding of what was done, please take a moment to read these pages. The news is tearing through the information security community – Juniper seems to be on the lips of everyone now, let’s take a quick look at the information available:

  • LinkedIn: The Breach That Isn't but Is

    The definition of a data breach seems to be reasonably straightforward and easy to understand — but that isn’t always the case. LinkedIn is back in the news thanks to a dataset containing profile information for 700 million records being traded among the darker actors on the internet. But LinkedIn is very clear about how they view this situation: This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.

  • Irrational Attribution: APT3.14159

    Note: This is satire / fiction; well, more or less – probably more more than less. Any resemblance to real companies, living or dead, is purely coincidental. WASHINGTON, D.C — Unnamed White House officials that spoke on the condition of anonymity, have stated that a major American company has been hacked, and the attackers are threatening to release terabytes of proprietary information. The name of the company has not been released at this time.

  • Linode: Another Breach Notification Gone Wrong

    Last night I received an email from Linode about a possible breach and mandatory password reset that reminded me of another recent email, in some disturbing ways. Dear Linode customer, Linode administrators have discovered and blocked suspicious activity on the Linode network. Not too long ago, I received a similar email from Evernote – not just in it’s text, but in the errors made. Dear Evernote user, Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.