Verizon FiOS app vulnerability Leaked 5 Million Customers Email Addresses

Verizon FiOS app vulnerability Leaked 5 Million Customers Email Addresses

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk.

The FiOS API flaw was founded by XDA senior software developer Randy Westergren on 14, January 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf.

Randy Westergren wrote:

"It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful"

The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox.

According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls.