Verizon has fixed an accidental password leak via the Verizon Hum website after security researcher Adam Caudill pointed out the issue after spending less than a minute looking at the site.
Verizon Hum is a new service launched by Verizon this summer. Hum, a collection of gadgets and apps, allows car owners to add modern tech to their older vehicles and transform them into actual smart cars.
Checking out the Hum website out of curiosity, Mr. Caudill, acting on his regular habits, had a quick look at the site’s source code.
“It took me approximately 30 seconds to notice the information being leaked – 30 seconds. With the vast resources of Verizon, you would think that they could have found someone with a basic understanding of security to spend 30 seconds looking at it,” Mr. Caudill said in an email to Softpedia.
Apparently, at the time when Mr. Caudill accessed the Hum website, there was a large block of JSON code at the top of the website’s source code.
Not the first time when someone forgets debug code in a website’s source
The JSON contained something that looked like debug code, and somewhere in there, somebody left the username and password of an API endpoint.
Mr. Caudill informed Verizon about their security slip-up, and by December 25, they’ve removed the naughty code from the site’s public source.
Verizon told Mr. Caudill that the credentials (with the extremely simple “Weblogic12” password) were not associated with an API that allowed attackers to scrape data for Verizon clients.
“Most likely, this was being included as debugging information – something that a developer added to troubleshoot an issue, but never removed,” Mr. Caudill explained. “This shows a lack of security controls.”
Mr. Caudill confirmed himself that the problematic JSON code and the API password are not displayed in Hum’s website anymore.
Something similar happened to a Danish bank at the start of October, when a Dutch researcher discovered that one of their public servers was left in debug mode, exposing customer data.