Verizon has patched a flaw in the API used in their My FiOS mobile application that let any user access all Verizon accounts for email.
Verizon last week released an update for the API that is used for the My FiOS mobile application. My FiOS mobile application after an analyst from security found an issue with the giant of telecoms that could allow anyone to gain access to every Verizon accounts for email.
The report was filed on Wednesday, and in less than 48 hours Verizon came up with a solution in place that was then pushed out to users. It was later validated by researcher Randy Westergren Jr.
Westergren discovered the flaw and tested his proof-of-concept attack against the API. He said it’s likely that the iOS app is also vulnerable because APIs are often reused. Because of the same reason, there’s a chance that other Verizon Email Services applications are also vulnerable to the same security flaw.
“Before the app was released it’s obvious that there was no verification of code because even someone operating at a simple level could have spotted it prior to it being released for the production line,” Westergren said. “It’s very alarming that this kind of process isn’t in place; it appears like that from afar.”
Westergren claimed he’s never utilized the application in order to control his bank account however, he decided to use it due to the volume of data Verizon keeps about his account and the general security of mobile apps.
The flaw gave an attacker the capability to access the inbox and read messages but also delete and send messages. Since password resets are typically sent via email the attacker can leverage this access in order to access other online services, such as social media or banking.
“I think they realized immediately how serious this was,” Westergren said, adding that he was able to connect with Verizon so quickly via the CorporateSecurity@verizonwireless.com email account.
Westergren stated that he had noticed the issue during an API call that was used to retrieve emails in his inbox to create an inbox preview of the application. On his call, Westergren stated that there were two references to his username including one of them in the parameter:
He stated in his disclosure report that the answer to the phone call was a JSON object that contained header information for every email in his inbox. If you entered a different username in the parameter, he claimed it returned the user’s inbox contents.
“Altering an uid parameter or providing a different username shouldn’t be having any effect, as I’m already logged in with my current session kept through cookies. It’s amazing that this wasn’t the scenario,” Westergren said. “Substituting the uid for the username of an email account actually returned what was in their email inbox. This was enough of a problem However, I then questioned whether other API methods were affected.”
In fact, by switching out other parameters the user was able to delete and send messages too according to him, and he also said that he created a proof-of-concept script, which he emailed to Verizon.
“The script registers an authorized user on this web-based service. It retrieves the headers of messages inboxed for the intended user and prints out the from address along with subject and line numbers,” he said.
The fix was announced on Friday, and Westergren confirmed with Verizon it was fixed. had been fixed.
“I wasn’t able to verify this with iOS however, I’m certain that it affected the app by the same issue,” Westergren said. “The API has a modular structure, meaning that different apps can utilize the same API instead of having to create two different versions. I’m unable to confirm that, but it’s possible that the API could be used for different items, such as services from third parties.”