14 DAY TRIAL // A security flaw in My FiOS mobile application from Verizon permitted unauthorized access to the content of someone else’s inbox.
By exploiting the flaw, an authenticated user could retrieve a different customer’s email messages, as well as send mail on their behalf.
User session not properly secured
Software developer and security researcher Randy Westergren discovered the glitch by checking the traffic exchanged by the MyFiOS client and Verizon’s servers.
My FiOS offers access to a customer’s Verizon account and services and it can also be used to listen to voicemail, pay bills, as well as check recent activity of the account and redeem gifts offered by the company.
The researcher observed that, by simply changing his user ID in the web requests with the one of a different customer, he could read someone else’s emails.
Before trying this, he thought that the log-in state and cookies maintaining the current session should prevent him from reaching a different inbox. As the result showed, this did not happen, and he was able to send an email on another user’s behalf.
“One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.,” he wrote in a blog post on Sunday.
Verizon was prompt with a fix for the problem
After tests confirmed the vulnerable API methods used in the mobile application, Westergren created a proof-of-concept script to demonstrate his finding and delivered it to Verizon. The code was simple and would log in a valid user, retrieve the inbox message headers for the targeted account, and print out the sender’s address and the subject lines.
The company was contacted on Wednesday and replied the same day, informing that an investigation had been started.
On Thursday, Verizon confirmed the vulnerability and the next day announced that it deployed a patch that eliminated the issue.
“Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously. They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude,” Westergren says at the end of his post.
