Flawed Verizon My FiOS mobile app exposed email accounts

Verizon has now fixed the vulnerability in the API of My FiOS, according to a software developer

Verizon fixed a serious vulnerability in its My FiOS mobile application that allowed unfettered access to email accounts, according to a developer who found the problem.

Randy Westergren, a senior software developer with XDA Developers, looked at the Android version of My FiOS, which is used for account management, email and scheduling video recordings.

Randy Westergren Screenshot, LinkedIn

Randy Westergren

"Since Verizon has a good amount of my information, I thought it would be a good candidate for research," Westergren wrote on his personal blog. "I was right, and the results were astonishing."

The flaw, contained in the application's API, could have allowed an attacker to read individual messages from a person's Verizon inbox and even send emails from an account, he wrote.

Westergren looked at the traffic sent back and forth between My FiOS and Verizon's servers. He found My FiOS would return the content of someone else's email inbox by simply substituting a different user ID in a request.

He contacted Verizon on Thursday, which acknowledged the problem a day later. Verizon issued a fix on Friday, Westergren wrote.

"Verizon's security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren wrote. "They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude."

Verizon officials couldn't immediately be reached for comment Sunday.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.