Critical Vulnerability in Verizon Mobile API Compromising User Email Accounts

As a Verizon FiOS customer, I had never used the My FiOS app for Android to manage my account. Since Verizon has a good amount of my information, I thought it would be a good candidate for research. I was right and the results were astonishing. I identified a vulnerability in one of the My FiOS web services that allowed access to any user’s Verizon email account. This included reading their inbox, individual messages, and even sending on their behalf. One can realize the seriousness of this issue, since obtaining access to someone’s email can be used to access a number of other accounts, e.g. banking, Facebook, etc.

While proxying the requests from my device, I noticed an interesting call to fetch the emails in my inbox.  The result is used to populate an inbox preview on the main screen of the app, shown here:

And here’s the corresponding web request:

It was interesting to see two direct references to my username, particularly this parameter:  getEmail?format=json&uid=RWESTERGREN05

The response is a JSON object containing the header information for the emails in my inbox (a shortened list for readability):

Altering the uid  parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies. Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox. This was enough of an issue, but I immediately questioned whether the other API methods were affected.

Using the returned header list, one can read individual inbox messages by substituting the corresponding mid and uid in the following GET request:

The response:

Using the same parameter substitution, one was able to read the email messages of other users. It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user. This request was also successful:

The severity of this issue was immediately apparent. My next step was to write a quick proof-of-concept to demonstrate the vulnerability in preparation to send it over to Verizon.

The script logs a valid user into the web service, fetches the inbox message headers for the target user, and prints out the from address and subject lines.

The next step was to reach out to Verizon. Being such a large company, I thought it was probably going to be difficult to get in contact with the right people. I tried their Twitter account, but their customer service reps weren’t very helpful. After reading this article, I figured reaching out to someone at [email protected] would at least point me in the right direction. They actually responded very quickly and confirmed they were the right group to report the issue to.

Disclosure Timeline

2015-01-14: Initial report to Verizon’s security group
2015-01-14: Verizon confirms receiving report, investigation begins
2015-01-15: Follow-up email with acknowledgement of the issue
2015-01-16: Fix released and confirmed

Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously. They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude.

Share this: Facebooktwittergoogle_pluslinkedin