Hackers could have easily hijacked the email accounts of Verizon customers by leveraging a vulnerability in a FiOS Web service, a researcher revealed on Sunday.
Software developer and security researcher Randy Westergren discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS.
While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account.
The researcher later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. Westergren even managed to send out an email on another user’s behalf by exploiting the vulnerability.
“One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.,” the expert wrote in a blog post.
The researcher created a proof-of-concept script that fetched the emails of a certain user and printed the sender addresses and subject lines on the screen. The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant confirmed the existence of the issue by the next day.
The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year.
Verizon’s controversial tracking header
Last week, computer scientist and lawyer Jonathan Mayer revealed that Verizon’s advertising partner Turn had been using the telecoms company’s UIDH tracking header to monitor users’ activities.
Turn had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out.
The existence of Verizon’s controversial system came to light last year, but the company denied using the tracking method in its own business model. After being exposed by Mayer, Turn announced on Friday that it will suspend its “zombie cookies” program.
“This is a step toward victory for everyone who spoke out against Turn's zombie cookies, but it is not enough. Turn's cookies just underscore the huge privacy problems with Verizon's header injection. Turn's cookies were the first example found, but Verizon enables any company to use the identifier in similarly abusive ways, some of which may not be visible to users,” the Electronic Frontier Foundation (EFF) said. “Verizon needs to follow Turn's lead, and end their UIDH header injection program immediately.”