Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Verizon Fixes Vulnerability Exposing User Email Accounts

Hackers could have easily hijacked the email accounts of Verizon customers by leveraging a vulnerability in a FiOS Web service, a researcher revealed on Sunday.

Software developer and security researcher Randy Westergren discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS.

Hackers could have easily hijacked the email accounts of Verizon customers by leveraging a vulnerability in a FiOS Web service, a researcher revealed on Sunday.

Software developer and security researcher Randy Westergren discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS.

While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account.

The researcher later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. Westergren even managed to send out an email on another user’s behalf by exploiting the vulnerability.

“One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.,” the expert wrote in a blog post.

The researcher created a proof-of-concept script that fetched the emails of a certain user and printed the sender addresses and subject lines on the screen. The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant confirmed the existence of the issue by the next day.

The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year.

Verizon’s controversial tracking header

Last week, computer scientist and lawyer Jonathan Mayer revealed that Verizon’s advertising partner Turn had been using the telecoms company’s UIDH tracking header to monitor users’ activities.

Turn had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out.

The existence of Verizon’s controversial system came to light last year, but the company denied using the tracking method in its own business model. After being exposed by Mayer, Turn announced on Friday that it will suspend its “zombie cookies” program.

“This is a step toward victory for everyone who spoke out against Turn’s zombie cookies, but it is not enough. Turn’s cookies just underscore the huge privacy problems with Verizon’s header injection. Turn’s cookies were the first example found, but Verizon enables any company to use the identifier in similarly abusive ways, some of which may not be visible to users,” the Electronic Frontier Foundation (EFF) said. “Verizon needs to follow Turn’s lead, and end their UIDH header injection program immediately.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...