"Altering the uid parameter and specifying another username shouldn't have an effect, since I'm logged in and my session is maintained through my cookies," Westergren wrote in an advisory. "Amazingly, this was not the case. Substituting the uid with the username of another email account indeed returned the contents of their inbox."
Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk.
The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf.
The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings.
Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently.
Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google's Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google's security team before Microsoft planned to patch them.
The FiOS API flaw, actually contained in the application's API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person's Verizon inbox.
According to the security researcher, the vulnerability even allowed attackers to send email messages from victims' accounts and found and exploited further vulnerable API calls.
"It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote.
The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said.