Verizon has confirmed that it has fixed a vulnerability in its My FiOS app, to enable users’ ability to securely access their Verizon email via the app.
In a story published by Forbes, it revealed that there was a vulnerability in Verizon’s My FiOS Android app that could be exploited to gain access to other customers’ emails with little effort.
The bug was uncovered by Randy Westergren, senior software developer with XDA-Developers, who said the flaw would have allowed an attacker to take control of any Verizon customers’ email account to view and send messages. He found the flaw whilst checking interactions between the app and the Verizon server responsible for handling My FiOS accounts.
Westergren was shocked to discover that he could simply switch out his own user ID – RWESTERGREN05 – with the user name of another account to reveal the latter’s email. By tinkering with other email-related parameters, the researcher could read and send email on behalf of other users.
In a statement sent to IT Security Guru, Verizon acknowledged that Westergren tipped the company on 14th January 14, it investigated it and corrected the issue in less than 36 hours. It said: “We appreciate the constructive and collaborative approach that he chose to resolve a security challenge. Working together, as we did, benefits everyone.”
It also said that the flaw was limited to the Android version of the My FiOS app and was experienced by a small subset of users – those who use it to access their email, which few of them do. Beginning last night, users of the Android version receive an automatic corrective update pushed to their device when they use the app
However Verizon dismissed claims that its emails are not secured using SSL, saying that Verizon email is secured in transit using SSL/TLS encryption. “If you go to the Verizon Webmail sign-in page, you’ll see the HTTPS marker in its URL,” it said.
Trey For
d, global security strategist at Rapid7, said: “This is a great example of how the general curiosity of the public makes the internet safer for all users. It demonstrates the value of coordinated disclosure and open vulnerability acceptance by companies.
“Thankfully, the researcher felt safe in reporting his finding to Verizon. The research community is often intimidated away from reporting vulnerabilities to companies due to confusing laws and corporate lawyers responding unfavourably to any external entity finding flaws that could affect the company’s public image.
“Randy Westergren (per his blog) believes in disclosure, and apparently did a solid job communicating his finding, and provided a proof of concept exploit, which effectively communicated and demonstrated the risk exposed by the vulnerable API. Kudos to Randy and Verizon for a textbook example of coordinated disclosure, and acting in the best interest of customers.”