Verizon Wireless Injects Identifiers to Track Mobile Customers’ Online Activities

The Nation's largest telecom operator 'Verizon Wireless' is tracking its customers' mobile internet traffic by adding a token to Web requests traveling over its network, in order to facilitate targeted advertising even if a user has opted out of their Customer Proprietary Network Information (CPNI) options.

The Precision Market Insights division of Verizon is collecting users' data from more than two years with the launch of the Unique Identifier Token Header (UIDH) under its Relevant Mobile Advertising program. The company also expanded its program to cover all Verizon Wireless subscribers.

UIDH TRACKS CUSTOMERS' EVERY MOVE ON WEB

When consumers visit certain websites or mobile apps, The Verizon network is adding cookie-like X-UIDH header tokens to Web requests traveling over its network with a unique value/identifier for every particular mobile device.

This Verizon's solution is called the PrecisionID, which is being used to create a detailed picture of users' interests and help clients tailor advertisements, according to Verizon's own documentation.

The outcome is that the second largest cellular communication provider in U.S. Verizon Wireless is sending a unique identifier for you to each and every unencrypted website you visit using your mobile device, which means that, at worst scenario, advertisers can track your every move everywhere you have been.

Though the company started navigating the service two years ago, security experts began warning of the issue this week. "Verizon is rewriting your HTTP requests to insert a permacookie? Terrible," senior staff technologist with the Electronic Frontier Foundation, Jacob Hoffman-Andrews, tweeted about the issue on Wednesday.

USERS' EVERY PERSONAL DATA IS COLLECTED

The UIDH value changes each week would provide targeted advertisements under Verizon's Precision Market Insights from participating advertisers which could request location and market-segment information. The information used by advertisers include subscribers' postal address, device types and language preferences to build profiles along with gender, age and hobby and personal interests.

"In addition, we will use an anonymous, unique identifier we create when you register on our websites. This may allow an advertiser to use information they have about your visits to online websites to deliver marketing messages to mobile devices on our network," Verizon said on its website. "We do not share information that identifies you personally outside of Verizon as part of this program. [Some of this information was] obtained from other companies."

VERIZON TRACKS EVEN YOU'VE OPT OUT

The strange thing is you can't do anything about the issue because even if you opt out of all the Verizon tracking, by either using a privacy mode in your browser and enable Do Not Track, or by using a different browser, or even if you change to a new phone, or use a tethered laptop for browsing, in all ways you are not safe.

UIDH allows Verizon to link a website visitor to its own internal profiles, in an attempt to allow client websites to target advertising at specific segments of the consumer market.

HOW TO PROTECT YOURSELF

Though, Verizon offers privacy settings, but they don't prevent sending the X-UIDH header. The only known solution left with you is to encrypt all your browsing. You can do this using HTTPS Everywhere, but this only works if the website supports HTTPS. Because this issue is already being exploited in the wild so the best solution is to use full encryption using a VPN like Tunnelbear or TOR.

Next, let's get Verizon Wireless to change this policy, by arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purposes.

By "Kunal Vohra", Director@H2K

Having Problem..??!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device

The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network.

The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device.

The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.

The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data.

"In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website," Elnoby said.

The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature.

According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account.

The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0.

"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," the security advisory issued by the NIST states.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates