Verizon has patched a critical security flaw in the firm’s email system which permitted attackers to intercept messages and potentially hijack other accounts.
The vulnerability was discovered by researcher Randy Westergren, a software developer for XDA Developers. In a blog post this week, the security expert said the bug “would have allowed an attacker to intercept incoming emails from any user’s inbox without interaction.”
The researcher has worked with Verizon on multiple occasions to fix security flaws and has previously disclosed a critical vulnerability in Verizon’s MyFiOS app’s API.
This particularly severe security concern, however, lies within Verizon’s webmail portal. The Insecure Direct Object References (IDOR) vulnerability was found within the “Settings” tab of the portal, which contained weaknesses in user identification systems.
The researcher altered the forwarding settings of his own account to a substitute account with another userID value. While this is an internal ID rather than the target’s true email address, Verizon “exposes an API with which an attacker (or anyone) could look up this internal ID,” according to the researcher.
The ID change request was successful, which meant that an attacker could substitute their own Verizon ID and set a forwarding address to receive the victim’s emails. This is a serious problem not only for basic privacy but as many of us use a single email address to retain control over multiple online accounts, access to this address could be used to intercept password reset requests for anything from Facebook to online banking.
The vulnerability was reported to the US broadband provider on 14 April and the flaw was patched on 12 May.
Westergren says this security problem is not the end of the story. There are other vulnerabilities in Verizon’s webmail portal of “varying severities” which the researcher may publicly disclose in the future.