Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Verizon Fixes Vulnerability Exposing User Email Accounts

Hackers could have easily hijacked the email accounts of Verizon customers by leveraging a vulnerability in a FiOS Web service, a researcher revealed on Sunday.

Software developer and security researcher Randy Westergren discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS.

Hackers could have easily hijacked the email accounts of Verizon customers by leveraging a vulnerability in a FiOS Web service, a researcher revealed on Sunday.

Software developer and security researcher Randy Westergren discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS.

While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account.

The researcher later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. Westergren even managed to send out an email on another user’s behalf by exploiting the vulnerability.

“One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.,” the expert wrote in a blog post.

The researcher created a proof-of-concept script that fetched the emails of a certain user and printed the sender addresses and subject lines on the screen. The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant confirmed the existence of the issue by the next day.

Advertisement. Scroll to continue reading.

The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year.

Verizon’s controversial tracking header

Last week, computer scientist and lawyer Jonathan Mayer revealed that Verizon’s advertising partner Turn had been using the telecoms company’s UIDH tracking header to monitor users’ activities.

Turn had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out.

The existence of Verizon’s controversial system came to light last year, but the company denied using the tracking method in its own business model. After being exposed by Mayer, Turn announced on Friday that it will suspend its “zombie cookies” program.

“This is a step toward victory for everyone who spoke out against Turn’s zombie cookies, but it is not enough. Turn’s cookies just underscore the huge privacy problems with Verizon’s header injection. Turn’s cookies were the first example found, but Verizon enables any company to use the identifier in similarly abusive ways, some of which may not be visible to users,” the Electronic Frontier Foundation (EFF) said. “Verizon needs to follow Turn’s lead, and end their UIDH header injection program immediately.”

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.