Tuesday 20 January 2015

Verizon rushes fix for email account open season security flaw

glowing-keyboard-hacker-security-620x465.jpg
A security researcher has discovered a vulnerability in the API used by Verizon's My FiOS mobile application which allowed any user access to any Verizon email account -- and a fix has been rapidly pushed out. As reported by ThreatPost, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr disclosed the vulnerability. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours.
The security researcher, who is a Verizon FiOS customer, disclosed details of the vulnerability once a fix was issued for customers. Westergren said he discovered a vulnerability in the API which allowed a user to access any Verizon email account, scan their inbox, read individual emails and send messages on their behalf. Naturally, this is a severe problem as so many of us connect other accounts to our email addresses -- ranging from social media accounts to e-commerce and banking -- and Verizon is a large provider of Web and email services in the United States.
While proxying requests from his device, Westergren noticed an interesting call to fetch when pulling emails in. There were two references to his username, one being:
getEmail?format=json&uid[hisusername]
The response to call was a JSON object containing header information for the emails in his inbox. However, Westergren then stumbled upon something interesting.
"Altering the uid parameter and specifying another username shouldn't have an effect, since I'm logged in and my session is maintained through my cookies," the researcher noted. "Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected."
Once the security researcher prepared a proof-of-concept exploit, Westergren realized that playing with different parameters also allowed him to send and delete email from another user's email inbox.
Westergren tested his exploit against the API, confirming the system was vulnerable. He also believes all the API methods for the software's widget within the app were vulnerable, and so if the API has been re-used by Verizon, other apps released by the US carrier were not secure.

The security researcher recognized how serious this flaw could be, and reached out to Verizon's corporate security after failing to get a worthwhile response on Twitter. Within two days, a fix had been prepared, confirmed by the researcher and released to the public.
"Verizon's security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. "They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude."

No comments:

Post a Comment