The exploit, which required little or no technical skill to carry out, was accomplished by spoofing, or imitating, a target’s IP address, which then allowed the reporter to obtain a target’s name, telephone number, and email address. Using only those three identifiers and basic social engineering, the reporter, Joe Bernstein, was able to convince Verizon customer service to reset the customer’s password for him.
Spoofing another person’s IP address is relatively easy to accomplish given the widespread availability of software that practically automates the process. While there are benign applications for spoofing, it is often used by malicious hackers to either conceal their identities or masquerade as a victim for a variety of malevolent purposes.
In a similar exercise last year, the Daily Dot demonstrated how anyone with a little time and basic computer skills could spoof someone else’s phone number and access their voicemail.
Bernstein notes that each of his victims joined the exercise willingly and gave him permission to access their accounts. BuzzFeed notified Verizon about the vulnerability before reporting it to the public. The company attributed the flaw to a programming error on April 22.
“If I were a criminal, this is where the really bad stuff would have started,” Bernstein wrote in his story. “For someone who uses a Verizon email address, if I had wanted to I could have reset that and combed through it for credit card and bank information, health records, Social Security numbers — the works.”
“It’s very common for hackers to leverage information found in one place to get password resets in another,” Bernstein continued. “What’s more, it also means that law enforcement could obtain the identity of anyone with a Verizon IP address, without a court order.”