> So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user.

Yikes. Seems like a pretty massive oversight by Verizon. I wish in situations like this there was some responsibility of the company at fault to provide information about if anyone else had used and abused this vector before it was responsibly disclosed.

> The Verizon Call Filter app uses the endpoint hxxps://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval to lookup call history for the authenticated user and display it in the app.

Have you ever seen a more internal-looking domain name?

Crazy that this is possible at such a giant like Verizon. But it seems to happen more often than before.

Where was the pen testing?

Who is charge of security over there?

There need to be some answers, this is such an obvious and easily exploited security hole we need to ask what else is leaking from them?

Good that they fixed it quickly.

Call logs are printed on every billing statement by default. I believe it may even include SMS messages in some cases.

This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.

That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.