Verizon FiOS app flaw exposes 5 Million Customers’ accounts

Pierluigi Paganini January 19, 2015

Security expert discovered a critical flaw in Verizon’s FiOS mobile app that could be exploited to access the email account of any Verizon customer.

A new critical vulnerability in exposing million accounts to cyber threats, this time the flaw affects the Verizon FiOS mobile app and could be exploited by attackers to access the email account of any Verizon customer. It has been estimated that almost five million user accounts of Verizon FiOS application at risk.

The FiOS API vulnerability  was discovered by the XDA senior software developer Randy Westergren on January 14, 2015, the expert has discovered that he was able to gain complete control of the account to access its data, including inboxes, and also acting on the owner behalf.

Westergren analyzed the traffic generated by the Android version of My FiOS, which gives customers the whole lot of control their account and email, in this way he demonstrated a possible hack on the account and reported the flaw to Verizon.

The FiOS API vulnerability allows an attacker to access any account by simple manipulating user identification numbers in the web requests, the attack could give attackers the ability to read customers’ messages from a their Verizon inbox.

Verizon FIOS mobile app 2

The expert noticed two direct references to his username, particularly this parameter:  getEmail?format=json&uid=RWESTERGREN05

“Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies,” Westergren wrote in an advisory. “Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox.” “Using the returned header list, one can read individual inbox messages by substituting the corresponding mid and uid in the following GET request:”

The vulnerability could be also exploited to send email messages from victims’ accounts.

“It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful,” Westergren added.

Westergren has also written a proof-of-concept to demonstrate the vulnerability to the Verizon team. The security experts at the Verizon admitted the presence of the critical flaw and promptly issued a fix just a couple of day the vulnerability was disclosed.

“Version’s (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously,” Westergren said. 

Verizon rewarded Westergren with a year’s worth of free internet.

 This is a case of success, an example of how a vulnerability must be managed and for this reason report the disclosure Timeline

2015-01-14: Initial report to Verizon’s security group
2015-01-14: Verizon confirms receiving report, investigation begins
2015-01-15: Follow-up email with acknowledgement of the issue
2015-01-16: Fix released and confirmed

Pierluigi Paganini

(Security Affairs –  Verizon FiOS, mobile)

you might also like

leave a comment