[Leaked News] Verizon Leaking Credentials

rofl cake

rofl cake

Well-Known Member
Joined
May 25, 2015
Messages
204
Reaction score
451
Points
108
https://adamcaudill.com/2015/12/25/verizon-hum-leaking-credentials/
Adam Caudill said:
Username, password. Embedded in JavaScript. Seriously.
Click to expand...
Adam Caudill said:
I’ve reached out to Verizon via Twitter to ensure that they are aware that this information is being leaked. I attempted to email both [email protected] and [email protected] – neither of which are valid addresses (another surprise from a company that should have a clue).
Click to expand...
HTML: 
{
  ...
  "verizonApi":{
    "rest":{
      "source_name":"ss",
      "organization":"Tech",
      "region":"US",
      "application_name":"VV",
      "default_timeout":"15000",
      "integration_id":"12345",
      "order_type":"NEW_VV",
      "channel_name":"Online",
      "debug":"1"
    },
    "soap":{
      "username":"vv_aia_integration_user",
      "password":"Weblogic12"
    },
    "calculate_tax":{
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/TaxCalculation\/products\/tax\/totalAmount",
      "behavior":"call_api"
    },
    "catalog_sync_promotion_detail":{
      "external_url":"http:\/\/atlspare05xd.hughestelematics.net:8011\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "timeout":"60000",
      "url":"http:\/\/osb-bss-vv.vtitel.net\/HTIWebGateway\/vv\/rest\/CatalogSync\/catalogSync\/get\/detail\/promotion",
      "behavior":"call_api"
    },
    ...
  }
}
 
R

RSX

New Member
Joined
Dec 18, 2016
Messages
49
Reaction score
22
Points
20
Seriously, what's so wrong about embedded authentication tokens in javascript? There's absolutely nothing wrong with that and many sites use that method. The ways an attacker would be able to acquire them are the exact same ways they were using before to get them from restful auth requests. Do note, I'm not defending the plain text password part, as that's disgraceful, and that's the part you should be getting your pitchforks out at. The emphasis on the javascript part is just silly imho
 
You must log in or register to reply here.
Top