Verizon last week rushed out a patch for an API used by its My FiOS mobile application after a security researcher disclosed a vulnerability to the telecommunications giant that allowed any user access to any Verizon email account.
The report was submitted last Wednesday and within 48 hours, Verizon had a fix prepared that was pushed to users and later was confirmed by researcher Randy Westergren Jr.
Westergren found the vulnerability and tested his proof-of-concept exploit against the API; he said it’s likely the iOS app was also vulnerable since APIs are generally re-used. For the same reason, it’s possible that other Verizon applications contain the same type of information disclosure bug.
“Before they released the app, it’s clear there was no basic security or code review because even someone at the most basic level would have caught it before it hit production,” Westergren said. “It’s kind of alarming that a process like this doesn’t exist; it seems that way from the outside looking in.”
Westergren said he’d never used the app to manage his account, but decided to do so, given the amount of information Verizon stores on him and the overall state of mobile app security.
The vulnerability allowed an attacker the ability not just to access the inbox and read messages, but also send and delete. Given that password resets are often sent over email, an attacker could leverage that access to gain access to other online services such as banking or social media.
“I think they realized immediately how serious this was,” Westergren said, adding that he was able to connect with Verizon so quickly via the CorporateSecurity@verizonwireless.com email account.
Westergren said he noticed a problem in an API call used to fetch email messages in his inbox in order to populate an inbox preview for the app. In the call, he said there were two references to his username, including one in the parameter:
getEmail?format=json&uid[his user name]
He said in his disclosure report that the response to the call was a JSON object with the header information for each email message in his inbox. Entering a different username within that parameter, he said, returned that user’s inbox contents.
“Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies. Amazingly, this was not the case,” Westergren said. “Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected.”
Indeed, but swapping out other parameters, he was able to send and delete messages as well, he said, adding that he wrote a proof-of-concept script which he sent to Verizon.
“The script logs a valid user into the web service, fetches the inbox message headers for the target user, and prints out the from address and subject lines,” he said.
The fix was pushed out on Friday, after which Westergren confirmed for Verizon that the issue was addressed.
“I was not able to test this on iOS, but I’m pretty sure it was affected as well,” Westergren said. “The API is modular, so multiple apps can use the same API rather than develop two versions. I’m not able to confirm it, but it’s possible that API could have been used for other things such as third-party services.”
This article was updated at 2:30 ET with clarifications.