Researcher discovered a way to brute force Verizon PINs online, meaning they could potentially break into Verizon customer accounts. In response, Verizon has taken the impacted web pages offline.
The issue revolved around that Verizon’s website was built in such a way that the researcher could enter many concurrent requests to guess a target’s PIN at the same time, but Verizon’s website would only register one attempt. Many websites are designed to block a person’s computer or temporarily lock an account if someone tries to guess a passcode and enters multiple incorrect attempts in a row. A hacker can essentially tip the chances in their favor by having many more guesses at once without the site stopping them.
This issue is known as a race condition. Microsoft faced a similar issue, when a researcher demonstrated it would be possible to brute force PINs for Microsoft accounts.
Armed with a customer’s PIN number, an attacker could have requested a change of SIM card Known as SIM swapping, this is an attack where hackers can redirect text messages to themselves to then break into other accounts. Harris said they could also add a new phone number to the target’s account or read a user’s text messages.
The race condition could allowed me to take over a Verizon wireless account as well. The vulnerability has been mitigated.