Developers Leave API Credentials in Verizon Hum Web site Source Code

Adam Caudill, an independent security researcher and software developer, recently discovered that the developers of the Verizon Hum website had left an API username and password in JSON embedded in JavaScript. Caudill was able to find the leaked credentials after looking at the Verizon Hum shopping page Source Code for less than a minute. Verizon has fixed the error removing the API username and password from the website source code.

Image Credit: Verizon

Launched in August 2015, Verizon Hum is an aftermarket vehicle technology and service that allows new car technology to be added to almost any car. Verizon Hum consists of an OBD reader, speaker, and smartphone app which together make it possible to enable connected-car services in almost any car manufactured in 1996 and newer. Verizon Hum provides services such as vehicle health, maintenance reminders, roadside assistance, stolen vehicle location assistance, and more.

Caudill discovered the leaked credentials in the Verizon Hum Website source code on Christmas Day and posted about the security issue on Twitter:

This is not the first time leaked API credentials were a cause of concern. Last year, ProgrammableWeb reported that hackers had created an algorithm that continuously searches GitHub for exposed Amazon Web Services (AWS) API keys. The hackers use the API keys to spin up hundreds of EC2 servers and mine bitcoins.

Security should be a key concern for every technology provider. Some technology companies such as Dropbox, Google and Microsoft have implemented bug bounty programs to help prevent code errors and bugs from causing serious security issues. Code reviews are also used by many companies to help ensure code quality and security. It should be noted that there is a page on the Verizon website for reporting security vulnerabilities; however, the company does not have a bug bounty program at this time.

The API username and password have been removed from the Verizon Hum website source code. However, it is surprising that an error like this one could happen at a major technology company like Verizon in the first place.

Be sure to read the next Security article: Lockr Key Management Service for Drupal and WordPress Now Available