, SecurityFocus 2000-08-14
Managers at the largest regional telco pulled an all-nighter Sunday to take down a service that had undocumented features, and unlisted phone numbers.
Verizon's twenty-eight million residential and business telephone subscribers from Maine to Virginia had portions of their private telephone records exposed on a company web site, SecurityFocus has learned.
The telephone giant, already struggling in a strike by union workers, was scrambling Sunday night to shut down the offending web application: a system designed to allow customers to file new repair reports, and track existing reports, over the Internet. Because of a basic design flaw, users could put in any phone number in Verizon's northeastern U.S. service area, and, by viewing the source of the resulting page, see the owner's name and address, as well as other information.
"We're going to have to go to a fix, obviously," said company spokesperson Larry Plumb, who learned of the flaw through SecurityFocus's inquiry. "We won't open up that application again until we have the problem solved."
The flaw provided a textbook example of the risks of injudiciously connecting the web to existing systems and databases. It worked like this: a user could type in any phone number, and a description of the problem they're ostensibly reporting, into a 'Repair Request Form' on Verizon's BellAtlantic.com website, then click 'submit.' Behind the scenes, Verizon's server would then pull up the service record for that number from the phone company's Loop Maintenance Operations System (LMOS) -- a separate legacy system that stores customer names, addresses and detailed repair histories.
Information in the LMOS record is used in pre-processing the new repair report. But rather than do that work on its own computers, Verizon offloaded it onto the user's own PC by putting the record, and the code to process it, into a JavaScript program on a new web page. "It takes essentially your service record, the record of service on your line, and it sends that to your computer," said George Imburgia, a network engineer and Verizon customer who discovered the flaw Saturday while reporting trouble on one his phone lines. "Then it sends a program to check things out."
Most of that information is not displayed to the user by the JavaScript code. Indeed, a portion of the code explicitly checks a field called ET_DRCTY_INFO_CD to see if its value is NPUB, for 'Non Published.' If it is, the JavaScript program doesn't display the customer's name, stored in a field called ET_LISTED_NAME.
But because it's all running on the user's own computer, the user need only view the source code of the web page to see the information -- a trivial matter in both Netscape and Explorer web browsers.
A programmer could also write a simple script to run through phone numbers sequentially, potentially amassing a huge database of unlisted numbers, limited only by bandwidth and the speed of Verizon's servers.
Imburgia said he only discovered the flaw because the complicated JavaScript code didn't execute properly. "At first I just filled the thing out, and I click submit and it just sits there," said Imburgia, who resorted to the web repair form after weeks of unsuccessfully efforts to get Verizon to repair a rain-related phone outage. "So I wondered, what's this stupid thing doing, so I looked at the source."
In addition to seeing his name, address, and a count of the number of calls he'd placed to repair service since one of his lines stopped working (four times), Imburgia saw at least one piece of information that the phone company likely didn't want him to see: a flag called ET_IRATE_CUST_IND was set to 'Y' for yes.
Mark Rotenberg, director of the Electronic Privacy Information Center, sees a silver lining in the privacy gaffe. "I certainly don't think that third parties should have access to this, but I think that customers should have access to their own information," opined Rotenberg. "I think you should know, for example, if Verizon considers you an irate customer."