> So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.
Yikes. Seems like a pretty massive oversight by Verizon. I wish in situations like this there was some responsibility of the company at fault to provide information about if anyone else had used and abused this vector before it was responsibly disclosed.
> The Verizon Call Filter app uses the endpoint hxxps://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to lookup call history for the authenticated user and display it in the app.
Have you ever seen a more internal-looking domain name?
It does look very internal, but the root domain name is more comprehensible than it might appear.
Cequint is a company that provides caller ID services. "Vz" is short for Verizon. "Cid" is short for caller ID. That only leaves "we", which probably refers to either
"wireless" or "web" in some way, e.g. wireless/web "edge" or "endpoint".
The domain is therefore the Cequint Verizon Wireless (Web?) Edge Caller ID endpoint.
I don't know what clr or aqx are, though. (I assume CLR is not Microsoft's Common Language Runtime, but I suppose it could be. I know at least one company that likes to name services after the technology used to implement them.)
though it seems a little strange that the name of the endpoint would be repeated three times across the URL (including domain name), it looks like CLR stands for "call log retrieval"
It's more possible at giants, IMO. Level of technical competence/excellence tends to be inversely proportional to company size. FAANG might be exceptions, but IMO large companies (like big banks, etc) have a lot of hidden technical incompetence you can't see.
A major goal of the complex computing infrastructure at large orgs is to wall off the ignorance and/or incompetence to contain, mitigate, or prevent its consequences.
(Note that "ignorance" is not pejorative here: not everyone can know everything.)
I have a feeling that ever since late January 2025 in the U.S., oversight and regulatory overview might be more lax than in the past, and there will less of those "pesky" fines and criminal investigations...which begs the question: will 2025 be the year of increased negligent and/or nefarious behavior - both from corporate entities as well as hackers?
...I gotta go take a walk near some nature and flowers, because i just depressed myself with my comment. :-(
* New York Mayor Eric Adams's corruption case was dismissed in an apparent quid-pro-quo. White House official Thomas Howan asserted that he had an agreement with Adams on the morning news show Fox and Friends. Evidence indicated Adams accepted a hundred thousand dollars in benefits and bribes in exchange for helping the Turkish government certify a building permit. https://www.nbcnews.com/politics/justice-department/trumps-b...
A bug bounty might be viewed as a 24/7 pentest conducted by everyone in the world willing to work for the bounty price.
While you're waiting a few days for steve to get back from vacation and approve the PO for a pentesting contract, everyone else in the world is already pentesting your systems anyways.
Doesn't look like Verizon has bug bounties, so I guess we're lucky that the person who found this one was willing to work for free.
Call logs are printed on every billing statement by default. I believe it may even include SMS messages in some cases.
This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.
That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.
i have always wondered something about this kind of hacking. How do you guys come up with these ideas. Should I download the top 100 apps from the AppStore or Playstore and try to reverse them or introspect their requests and see if I hit a jackpot. Perhaps I can report a bug bounty and maybe score some credit from the company to whom the app belongs. There are millions of apps across both stores. Perhaps find a way to introspect all of them? No seriously, do you do this full time. Is ethical hacking your job or how does this work? How do you randomly go about finding stuff that nobody has found out before
when you're reverse engineering a web API used by an app (I've done this for personal integrations and automations) via MITMProxy and/or a device emulator, sometimes API calls show up that make you go "hmmm"
> There are millions of apps across both stores. Perhaps find a way to introspect all of them?
I would be surprised if this method wasn't also being employed, if not by individual hackers, then in the form of growth hacking by companies who sell a means of fixing it.
I am hoping they paid a bounty for this (> 20k). Otherwise doing the right thing isn't right in my opinion. Their MBAs will not see a lesson to be learned, but something that is to be swept under the rug
How isn't this the breaking news story of this and future weeks to come? The government likes to spread a lot of FUD about how foreign nation states can interfere with citizens, but when there is an actual vulnerability in such corporate turds as Verizon that actually allows the foreign nation to spy on you, nobody in the media bats an eye.
Of course, the answer is that the corporations own both Congress and the media.
it's odd that this is called "hacking" as there is no formal procedure or rules around granting access to phone records, and the huge number of "scandles" involving the abuse of phone records and the open use in tracking phones for assasination of foreign nationals cant be done without the casual access to all phone records, so there can be no doubts about an ongoing situation that continiously violates everyones right to private comunication.
the headline is best described as a test of complacency.
why bother?
Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.
In addition, there are TLS downgrade attacks that can trick a client into using SSL or a less secure cipher suite. Clients (and servers) can also prevent this, but it’s the classic long tail of vulns where it may mean blocking older clients, which might include third parties or abandoned automation.
> So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.
Yikes. Seems like a pretty massive oversight by Verizon. I wish in situations like this there was some responsibility of the company at fault to provide information about if anyone else had used and abused this vector before it was responsibly disclosed.
> The Verizon Call Filter app uses the endpoint hxxps://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to lookup call history for the authenticated user and display it in the app.
Have you ever seen a more internal-looking domain name?
It does look very internal, but the root domain name is more comprehensible than it might appear.
Cequint is a company that provides caller ID services. "Vz" is short for Verizon. "Cid" is short for caller ID. That only leaves "we", which probably refers to either "wireless" or "web" in some way, e.g. wireless/web "edge" or "endpoint".
The domain is therefore the Cequint Verizon Wireless (Web?) Edge Caller ID endpoint.
I don't know what clr or aqx are, though. (I assume CLR is not Microsoft's Common Language Runtime, but I suppose it could be. I know at least one company that likes to name services after the technology used to implement them.)
"Vzw" probably is Verizon Wireless.
Oh good point.
though it seems a little strange that the name of the endpoint would be repeated three times across the URL (including domain name), it looks like CLR stands for "call log retrieval"
If it was a snake it would have bit me
Crazy that this is possible at such a giant like Verizon. But it seems to happen more often than before.
It's more possible at giants, IMO. Level of technical competence/excellence tends to be inversely proportional to company size. FAANG might be exceptions, but IMO large companies (like big banks, etc) have a lot of hidden technical incompetence you can't see.
A major goal of the complex computing infrastructure at large orgs is to wall off the ignorance and/or incompetence to contain, mitigate, or prevent its consequences.
(Note that "ignorance" is not pejorative here: not everyone can know everything.)
No exceptions for FAANG. There is technical incompetence all over in there too.
Start the big fines and criminal investigations and itll be fixed tomorrow.
I have a feeling that ever since late January 2025 in the U.S., oversight and regulatory overview might be more lax than in the past, and there will less of those "pesky" fines and criminal investigations...which begs the question: will 2025 be the year of increased negligent and/or nefarious behavior - both from corporate entities as well as hackers?
...I gotta go take a walk near some nature and flowers, because i just depressed myself with my comment. :-(
And your comment was based on a feeling, not on evidence or actions.
* BitMEX the company and its founders received a Presidential pardon in the past week. https://www.cnbc.com/2025/03/28/trump-pardon-bitmex-crypto-e...
* Several Consumer Protection Safety Board lawsuits were withdrawn in February: https://apnews.com/article/cfpb-drops-capital-one-rocket-law...
* New York Mayor Eric Adams's corruption case was dismissed in an apparent quid-pro-quo. White House official Thomas Howan asserted that he had an agreement with Adams on the morning news show Fox and Friends. Evidence indicated Adams accepted a hundred thousand dollars in benefits and bribes in exchange for helping the Turkish government certify a building permit. https://www.nbcnews.com/politics/justice-department/trumps-b...
There was an Executive Order [0], aimed at removing regulation.
[0] https://www.whitehouse.gov/presidential-actions/2025/01/unle...
Where was the pen testing?
Who is charge of security over there?
There need to be some answers, this is such an obvious and easily exploited security hole we need to ask what else is leaking from them?
Good that they fixed it quickly.
A bug bounty might be viewed as a 24/7 pentest conducted by everyone in the world willing to work for the bounty price.
While you're waiting a few days for steve to get back from vacation and approve the PO for a pentesting contract, everyone else in the world is already pentesting your systems anyways.
Doesn't look like Verizon has bug bounties, so I guess we're lucky that the person who found this one was willing to work for free.
Call logs are printed on every billing statement by default. I believe it may even include SMS messages in some cases.
This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.
That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.
i have always wondered something about this kind of hacking. How do you guys come up with these ideas. Should I download the top 100 apps from the AppStore or Playstore and try to reverse them or introspect their requests and see if I hit a jackpot. Perhaps I can report a bug bounty and maybe score some credit from the company to whom the app belongs. There are millions of apps across both stores. Perhaps find a way to introspect all of them? No seriously, do you do this full time. Is ethical hacking your job or how does this work? How do you randomly go about finding stuff that nobody has found out before
Sometimes you are their customer and have the ability to verify your own data security.
Normally those companies need an intervention from an authority to do something about it though.
Source: Personal experience.
when you're reverse engineering a web API used by an app (I've done this for personal integrations and automations) via MITMProxy and/or a device emulator, sometimes API calls show up that make you go "hmmm"
> There are millions of apps across both stores. Perhaps find a way to introspect all of them?
I would be surprised if this method wasn't also being employed, if not by individual hackers, then in the form of growth hacking by companies who sell a means of fixing it.
Still seems like something fun to try.
I am hoping they paid a bounty for this (> 20k). Otherwise doing the right thing isn't right in my opinion. Their MBAs will not see a lesson to be learned, but something that is to be swept under the rug
I doubt 20k will affect their balance sheets very much, either.
Yes. How much did they pay you for this discovery?
How isn't this the breaking news story of this and future weeks to come? The government likes to spread a lot of FUD about how foreign nation states can interfere with citizens, but when there is an actual vulnerability in such corporate turds as Verizon that actually allows the foreign nation to spy on you, nobody in the media bats an eye.
Of course, the answer is that the corporations own both Congress and the media.
it's odd that this is called "hacking" as there is no formal procedure or rules around granting access to phone records, and the huge number of "scandles" involving the abuse of phone records and the open use in tracking phones for assasination of foreign nationals cant be done without the casual access to all phone records, so there can be no doubts about an ongoing situation that continiously violates everyones right to private comunication. the headline is best described as a test of complacency. why bother?
How did he intercept what API calls a mobile app was making?
Presumably by configuring the system-level HTTP proxy settings to point to a tool like mitmproxy or similar running on a machine on their LAN, and then installing a locally signed root CA certificate generated by the proxy, to enable it to decrypt TLS connections. I'm not familiar with the process on iOS, but it's pretty straightforward on Android. Some apps bundle their own root CA certificate (see "certificate pinning") and ignore the system certificates, which defeats this method unless you can decompile the app package, replace the bundled certificate with your own, and recompile/sideload the modified package. It's also possible they statically analyzed the app package to discover URLs.
In addition, there are TLS downgrade attacks that can trick a client into using SSL or a less secure cipher suite. Clients (and servers) can also prevent this, but it’s the classic long tail of vulns where it may mean blocking older clients, which might include third parties or abandoned automation.