Network Security, Vulnerability Management

Patched Verizon Messaging XSS bug allows for complete takeover of service

In a personal blog post published on Sunday, a security researcher provided details into a cross-site scripting vulnerability he discovered in the Verizon Messages SMS texting service, which was patched late in 2016.

According to researcher Randy Westergren, if attackers exploit this vulnerability using a crafted text message, they can take over the affected user's session and control all related functionality, including sending and receiving SMS messages in the guise of the victim.

After noticing that Verizon's Android and web apps supported various links, Westergren decided to look for possible XSS attack vectors in the Document Object Model (DOM) API. To that end, he texted himself various test links with special characters in order to see how the web app would render them. Sure enough, he uncovered a proof of concept for an XSS exploit and reported the finding in mid-November 2016.

Westergren stated that he reported the issue to Verizon on Nov. 18, 2016 and confirmed that the problem was patched on Dec. 9. Verizon's account differed slightly, in a statement issued to SC Media by a company spokesperson: "The issue Mr. Westergren refers to was resolved on the same day it was reported; November 21, 2016," the statement reads. "Collaboration between the Verizon security team and independent researchers like Mr. Westergren is an important part of how Verizon strengthens security and protects customer privacy. We appreciate his shared commitment to security and privacy."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.