In December 2016, Verizon patched a cross-site scripting flaw that, if exploited, could allow attackers to take over a user's session and send and receive SMS messages in the guise of the victim.
In December 2016, Verizon patched a cross-site scripting flaw that, if exploited, could allow attackers to take over a user's session and send and receive SMS messages in the guise of the victim.

In a personal blog post published on Sunday, a security researcher provided details into a cross-site scripting vulnerability he discovered in the Verizon Messages SMS texting service, which was patched late in 2016.

According to researcher Randy Westergren, if attackers exploit this vulnerability using a crafted text message, they can take over the affected user's session and control all related functionality, including sending and receiving SMS messages in the guise of the victim.

After noticing that Verizon's Android and web apps supported various links, Westergren decided to look for possible XSS attack vectors in the Document Object Model (DOM) API. To that end, he texted himself various test links with special characters in order to see how the web app would render them. Sure enough, he uncovered a proof of concept for an XSS exploit and reported the finding in mid-November 2016.

Westergren stated that he reported the issue to Verizon on Nov. 18, 2016 and confirmed that the problem was patched on Dec. 9. Verizon's account differed slightly, in a statement issued to SC Media by a company spokesperson: "The issue Mr. Westergren refers to was resolved on the same day it was reported; November 21, 2016," the statement reads. "Collaboration between the Verizon security team and independent researchers like Mr. Westergren is an important part of how Verizon strengthens security and protects customer privacy. We appreciate his shared commitment to security and privacy."