Full Report
A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. [...]
Analysis Summary
# Vulnerability: Verizon Call Filter API Insecure Direct Object Reference (IDOR) Exposing Call History
## CVE Details
- CVE ID: Not specified in the text.
- CVSS Score: Not specified in the text.
- CWE: CWE-284 (Improper Access Control) or CWE-639 (IDOR).
## Affected Systems
- Products: Verizon Call Filter API (accessed via a server associated with Cequint).
- Versions: Unspecified, but affects the API used by Call Filter subscribers.
- Configurations: Any logged-in Verizon user utilizing the Call Filter service that relies on this specific API endpoint.
## Vulnerability Description
The vulnerability exists in an API endpoint used by the Verizon Call Filter service. The weakness is a form of Insecure Direct Object Reference (IDOR) due to insufficient verification of user identity. An attacker could exploit this by using their own valid JSON Web Token (JWT) but supplying the phone number of *any other Verizon subscriber* in the `X-Ceq-MDN` header when requesting call history data. The API failed to confirm that the phone number requested in the header matched the phone number associated with the authenticated JWT payload. This allows any authenticated user to view the incoming call history of another Verizon customer.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the researcher disclosed the finding.
- Complexity: Low (Requires valid user authentication via JWT and knowledge of the target phone number).
- Attack Vector: Network
## Impact
- Confidentiality: High (Exposure of call metadata, revealing contacts, routines, and relationships).
- Integrity: None/Low (Data read-only).
- Availability: None.
## Remediation
### Patches
- Specific patch details (e.g., version numbers) were not disclosed in the summary. **A fix implementing proper authorization checks on the `X-Ceq-MDN` header against the authenticated user's identity is required.**
### Workarounds
- No official workarounds were immediately provided in the summary. Users of the Call Filter service may consider temporarily disabling the service, though this is not confirmed as a solution.
## Detection
- Indicators of compromise (IOCs) are not specified.
- Detection would involve auditing API request logs for instances where the `X-Ceq-MDN` header value does not correspond to the authenticated user's identity established by the JWT.
## References
- Vendor Advisories: Verizon disclosure, research by Connelly.
- Relevant links:
- bleepingcomputer com/news/security/verizon-call-filter-api-flaw-exposed-customers-incoming-call-history/
- evanconnelly github io (Source of PoC/details referenced)