Skip to content ↓ | Skip to navigation ↓

On Friday, Verizon patched a vulnerability in its My FIOS app that allowed users to compromise and send messages from other users’ email accounts.

The vulnerability was first reported by Randy Westergren, a senior software developer for XDA-Developers.

Westergren details in a blog post that he first found the vulnerability while he was proxying requests from his device using the My FIOS Android app.

In order to populate an inbox preview, the app sent a specific web request that, among other things, included this parameter getEmail?format=json&uid=RWESTERGREN05, which makes direct references to his username.

By substituting the uid and mid values in the GET request, the researcher discovered he was able to access the inbox of other users’ email accounts and read their messages.

Westergren then tested a number of other APIs to see if they were vulnerable. Most notably, he determined that he could successfully send a message from another user’s inbox.

The researcher sent a proof-of-concept of the vulnerability to Verizon Security, whose teams patched the bug in three days. Still, it is unclear how long the bug may have been open.

“I can speculate that it was an issue since the development of the app [in June 2013],” comments Westergren. “But if the API is used elsewhere, it could have been even longer.”

The flaw was in part facilitated by an even more significant weakness in Verizon’s email system—its continued use of HTTP instead of HTTPS. “Exploiting this vulnerability would’ve been very simple for an attacker,” Westergren explained further. “The only requirement was to login with any valid Verizon account.”

News of the My FIOS vulnerability comes on the heels of the discovery that advertising companies have been exploiting Verizon’s Unique Identity Header (UIDH), a tracking number which is included in the header of each web request sent over Verizon’s wireless network.

Turn and other advertising technology firms have been allegedly using Verizon customers’ UIDH numbers to revive their dead cookies and send them to Google, Facebook, and other tech giants, a move which some argue is undermining user privacy online.