Verizon sprints to crush FiOS account exposure hole
ALL accounts exposed, private messages accessible
Up to five million user accounts, including email inboxes and private messages of Verizon's FiOS application, were exposed thanks to a flaw reported today.
XDA senior software developer Randy Westergren said the FiOS API flaw since fixed allowed any account to be accessed by manipulating user identification numbers in web requests.
"Altering the uid parameter and specifying another username shouldn't have an effect, since I'm logged in and my session is maintained through my cookies," Westergren said in an advisory.
"Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox."
Westergren said the flaws also allowed attackers to send messages from victim accounts and found and exploited further vulnerable API calls.
"It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful."
The app hacker quietly reported the holes to Verizon which issued a fix Friday, two days after it was disclosed, and rewarded Westergren with a year's worth of free internet.
"Verizon's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," he said. ®