} I tried random session IDs and they gave similar
results, except the
} minutes used changed, and so did the phone
} number. I think this is a major problem myself.
Phone numbers could
} be gathered for marketting etc etc.
}
In addition to the exposed cellular numbers and usage
information, the session ID also yeilds the user's
account/login name.
Using a URL similar to the one provided earlier, again
taking advantage of the sequential nature of the
session ID code, you should look at the URL being used
to load the pop-up windows. It contains a parameter
"p_userid" set to what appears to be the
login/username of the subscribers account. Different
session id's yeild different usernames, some include
the zip code of the subscriber which allows them to be
easily located in conjunction with the telephone
number revealed in the "View my recent usage" section.
Also included in the URL is the users verizon account
number, market information, & session timeout date...
One session ID produced the message:
DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN
PROCESS: ACOPT07H GETUSGA
INTERNET08448771
2001/245 23:20:53
The spacing is exactly as it appeared. Perhaps this
will sound the alarm to Verizon that they have a
serious problem.
--
Jeff C.
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 08:15:20 PDT