hngopher.com

       [HN Gopher] Hacking the call records of millions of Americans
       ___________________________________________________________________
        
       Hacking the call records of millions of Americans
        
       Author : voxadam
       Score  : 60 points
       Date   : 2025-04-02 16:37 UTC (6 hours ago)
        
 (HTM) web link (evanconnelly.github.io)
 (TXT) w3m dump (evanconnelly.github.io)
        
       | MPSFounder wrote:
       | I am hoping they paid a bounty for this (> 20k). Otherwise doing
       | the right thing isn't right in my opinion. Their MBAs will not
       | see a lesson to be learned, but something that is to be swept
       | under the rug
        
         | ada1981 wrote:
         | Yes. How much did they pay you for this discovery?
        
         | dullcrisp wrote:
         | I doubt 20k will affect their balance sheets very much, either.
        
       | devmtk wrote:
       | Crazy that this is possible at such a giant like Verizon. But it
       | seems to happen more often than before.
        
         | umvi wrote:
         | It's _more_ possible at giants, IMO. Level of technical
         | competence /excellence tends to be inversely proportional to
         | company size. FAANG might be exceptions, but IMO large
         | companies (like big banks, etc) have a lot of hidden technical
         | incompetence you can't see.
        
           | yobid20 wrote:
           | No exceptions for FAANG. There is technical incompetence all
           | over in there too.
        
         | devwastaken wrote:
         | Start the big fines and criminal investigations and itll be
         | fixed tomorrow.
        
           | mxuribe wrote:
           | I have a feeling that ever since late January 2025 in the
           | U.S., oversight and regulatory overview might be more lax
           | than in the past, and there will less of those "pesky" fines
           | and criminal investigations...which begs the question: will
           | 2025 be the year of increased negligent and/or nefarious
           | behavior - both from corporate entities as well as hackers?
           | 
           | ...I gotta go take a walk near some nature and flowers,
           | because i just depressed myself with my comment. :-(
        
       | twalkz wrote:
       | > So surely the server validated that the phone number being
       | requested was tied to the signed in user? Right? Right??
       | Well...no. It was possible to modify the phone number being sent,
       | and then receive data back for Verizon numbers not associated
       | with the signed in user.
       | 
       | Yikes. Seems like a pretty massive oversight by Verizon. I wish
       | in situations like this there was some responsibility of the
       | company at fault to provide information about if anyone else had
       | used and abused this vector before it was responsibly disclosed.
        
       | chatmasta wrote:
       | Call logs are printed on every billing statement by default. I
       | believe it may even include SMS messages in some cases.
       | 
       | This data has likely proliferated widely throughout the company,
       | subsidiaries and contractors, to reside on an unknowable number
       | of systems. I would assume call record metadata is fully
       | compromised at this point.
       | 
       | That's not to take away from the finding in the blog - I'm merely
       | commenting on the question in its conclusion, about the
       | implications of a barely know technology vendor controlling the
       | vulnerable server holding this data.
        
       ___________________________________________________________________
       (page generated 2025-04-02 23:00 UTC)