Verizon E-Mail Vulnerability Left All Users’ Messages At Risk

While many people no longer use the free e-mail accounts made available by their Internet service providers, there are still millions of Americans who do. And up until last week, a reported vulnerability in Verizon’s My FiOS app that left all Verizon e-mail users’ messages at risk of being read by complete strangers.

On his blog, software developer Randy Westergren details how he recently discovered a vulnerability in the request the app makes to the Verizon servers when populating the app’s inbox preview. By going into that request and simply changing the user ID to another user’s account name, he could access their inbox. Further mucking around allowed him to send messages as that user.

“The next step was to reach out to Verizon,” writes Westergren. “Being such a large company, I thought it was probably going to be difficult to get in contact with the right people.”

Twitter was no use, so he tried contacting Verizon’s corporate security team directly and ended up getting a timely response.

Within two days, Verizon had patched the exploit, which is good news. But as Thomas Fox-Brewster points out on Forbes.com, there is still the issue that Verizon doesn’t provide end-to-end encryption of its e-mails.

by Chris Morran via Consumerist