A critical vulnerability affecting Verizon’s webmail service could have been exploited by malicious actors to silently forward a targeted user’s emails to an arbitrary address.
Researcher Randy Westergren discovered several vulnerabilities in Verizon’s webmail portal. The most serious of them was related to the feature that allows users to forward all incoming emails to a specified address. When this feature is enabled, the forwarded emails are not shown in the normal Verizon inbox.
Analyzing the request sent when forwarding is activated and the response from the server, the researcher noticed a userID parameter. These types of parameters often introduce insecure direct object reference (IDOR) vulnerabilities, where an attacker can access content they are not authorized to access (e.g. a user account) simply by changing the value of the parameter.
The expert determined that the value of the userID was associated with an internal verizon ID. However, he found a way to look up the internal ID and obtain the mail ID for a specified email address by using a Verizon API.
Using this method, an attacker who possessed a Verizon email account could have substituted the value of the userID in their own request with the ID of a targeted user in order to forward all the victim’s emails to an arbitrary email address.
“Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc,” Westergren said in a blog post.
“Recall that incoming emails would no longer be received by the user’s inbox, so they would be oblivious to such an account compromise — this would also make it much easier for an attacker to go about resetting other passwords since the reset emails would never be received by the victim,” the expert noted.
The researcher developed a proof-of-concept (PoC) that he sent to Verizon along with a vulnerability report on April 14. The flaw was patched by Verizon nearly one month later – the telecoms giant attributed the delay to the recent strikes. While analyzing the issue discovered by Westergren, the company identified similar problems in other requests as well.
This is not the first time Westergren has found a serious vulnerability in a Verizon email application. Last year, the expert reported finding a flaw in the Android app for Verizon’s FiOS service. The weakness could have been exploited by malicious hackers to hijack the email accounts of Verizon customers.