Verizon fixed a critical flaw in its Verizon.net messaging system that permitted attackers to hack the email settings of other customers and forward email to any email account.
The flaw, found by Randy Westergren, a senior software developer with XDA Developers, impacted any of Verizon’s estimated 7 million FiOS subscribers who depended on their Verizon.net email accounts. Westergren initially reported the vulnerability to Verizon on April 14. The vulnerability was fixed by Verizon on May 12. Public disclosure of the flaw was Monday.
“I confirmed a very serious vulnerability: any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc.,” Westergren wrote in a technical description of the vulnerability.
The vulnerability was exploitable by leveraging an API endpoint intended to be used exclusively by Verizon’s webmail interface. “This was only a requirement for the attacker,” Westergren said. “While proxying my requests, I changed the forwarding settings on my own account in order to record the results.”
The flaw is known as an IDOR vulnerability (Insecure Direct Object References). This type of vulnerability allows an attacker to bypass authorization safeguards and access a system or settings directly.
Westergren, who privately disclosed the proof-of-concept vulnerability, said that in order for an attacker to exploit the flaw against a specific email account they would first need to resolve the user’s internal Verizon ID into a user’s email address. “This was not a huge obstacle since Verizon exposes an API with which an attacker (or anyone) could lookup this internal ID,” Westergren wrote.
Next, using proxy requests, Westergren was able to write a webmail session script that looked up and translated a target’s mail ID to an email address, and then set the forwarding address on the account.
“Incoming emails would no longer be received by the user’s inbox, so (they) would be oblivious to such an account compromise — this would also make it much easier for an attacker to go about resetting other passwords since the reset emails would never be received by the victim,” Westergren wrote.
Victims of the vulnerability could have easily been exploited remotely – without interaction – regardless of the way they accessed their email either via app, webmail client, POP3/IMAP, according to Westergren.
This is the second Verizon email vulnerability found by Westergren. In January 2015 the security researcher uncovered an API used by its My FiOS mobile application that allowed any user access to any Verizon email account.
Verizon did not return request for comment.