Verizon has fixed a serious vulnerability in its FiOS Android app spotted by an eagle-eyed customer which he claimed allowed access to any customer’s email account.
Security researcher Randy Westergren revealed the issue in a personal blog post on Sunday.
He claimed that after running some tests on the internet, TV and phone app, he found a flaw in one of the web services which allowed him to read any Verizon email customer’s individual messages, and even to send new emails on their behalf.
“One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc,” he argued.
Westergren noticed that in a specific web request from his device to the Verizon server his name was displayed alongside ‘uid’.
“Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies,” he explained.
“Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox.”
Testing other API methods in the app, he found they were also vulnerable, allowing him to read individual messages and send new outgoing emails on the user’s behalf.
The Verizon corporate security team apparently responded extremely quickly to Westergren’s alert and it was fixed within two days.
Rapid7 global security strategist, Trey Ford, praised Westergren’s efforts and Verizon’s response.
“This is a great example of how the general curiosity of the public makes the Internet safer for all users. It demonstrates the value of coordinated disclosure and open vulnerability acceptance by companies,” he said.
“The research community is often intimidated away from reporting vulnerabilities to companies due to confusing laws and corporate lawyers responding unfavorably to any external entity finding flaws that could affect the company’s public image.”