} I tried random session IDs and they gave similar results, except the } minutes used changed, and so did the phone } number. I think this is a major problem myself. Phone numbers could } be gathered for marketting etc etc. } In addition to the exposed cellular numbers and usage information, the session ID also yeilds the user's account/login name. Using a URL similar to the one provided earlier, again taking advantage of the sequential nature of the session ID code, you should look at the URL being used to load the pop-up windows. It contains a parameter "p_userid" set to what appears to be the login/username of the subscribers account. Different session id's yeild different usernames, some include the zip code of the subscriber which allows them to be easily located in conjunction with the telephone number revealed in the "View my recent usage" section. Also included in the URL is the users verizon account number, market information, & session timeout date... One session ID produced the message: DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN PROCESS: ACOPT07H GETUSGA INTERNET08448771 2001/245 23:20:53 The spacing is exactly as it appeared. Perhaps this will sound the alarm to Verizon that they have a serious problem. -- Jeff C. __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 08:15:20 PDT