A serious vulnerability was recently discovered in the email portal of telecom company Verizon. The flaw could have allowed hackers to forward users’ emails to an arbitrary address. The targeted users would have been left unaware
The report was submitted by Randy Westergren. The researcher announced finding several vulnerabilities in Verizon’s webmail service. The study reveals that the feature to forward incoming emails to an arbitrary address can be exploited. The forwarded emails are not shown in the normal Verizon inbox when the feature is enabled.
The vulnerability comes from a userID parameter. The parameter being shown can lead to an insecure direct object reference (IDOR) vulnerability. A hacker attack can succeed in accessing confidential information from a user’s account. This can be accomplished by editing the value of the parameter. The vulnerability stems from the webmail system of Verizon, as the userID was confirmed to be associated to an internal Verizon ID.
Throughout the research, the forwarding request and the response from the server were examined. The conclusion was that a weakness in the system allowed for the internal ID to be accessed through a Verizon API. A hacker could obtain the mail ID for a specified email address. Upon doing so, he would be able to replace the value of the userID with the ID of a targeted user. The hacker could make a request to have the user’s emails sent to an arbitrary email address.
Mr. Westergren published a blog on the matter, addressing the discovered vulnerabilities. The following transcripts sum up the severity of the situation. “Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails – an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc”.
“Recall that incoming emails would no longer be received by the user’s inbox, so they would be oblivious to such an account compromise – this would also make it much easier for an attacker to go about resetting other passwords since the reset emails would never be received by the victim”.
Following the bleak report, the researcher developed a proof-of-concept (PoC). He sent it to Verizon together with a complete vulnerability report on April 14. It took the cellphone company nearly a month to patch the flaw. The delay was due to a recent strike. More importantly, Verizon set out to review its entire system and discovered similar faults in other requests.
Last year, Mr. Westergren was credited for discovering a fault in the code of another Verizon email application. The researcher detected a flaw in Verizon’s FiOS service for the Android app. If not detected, this vulnerability could have allowed hackers to hijack users’ email accounts.