http://www.dslreports.com/shownews/Another-Security-Flaw-Found-in-Verizons-MyFiOS-App-136049
Just about a year ago we noted how Randy Westergren, senior software developer with XDA-Developers, had discovereda flaw in Verizon's MyFiOS app that exposed some Verizon customer information. The flaw also allowed attackers to view customer e-mails -- and send e-mails from those accounts. While that flaw was resolved, Westergren this week stated he found another vulnerability that piggybacked off of the original flaw.
His original discovery involved the fact that the Verizon REST API uses cookies for authenticating users.
By accessing his Verizon account via browser and then examining the REST API URL, data usually reserved for display in the app could be displayed in a browser. From there, Westergren used a loophole in the app's API authentication scheme, to create a malicious website capable of sending e-mails from other Verizon FiOS users to his own account (aka a cross-site request forgery, or CSRF attack).
"This means an attacker could have very easily leveraged this vulnerability to hijack another user’s account by simply having them visit a malicious page," he notes.
Westergren says despite the flaw, Verizon has been very responsive when approached with these vulnerabilities.
"I’ve always had a great experience when reporting vulnerabilities to Verizon and this disclosure was not much different," he said. "Verizon’s security team immediately took the report seriously and implemented steps to mitigate the impact."
Westergren said he reported the vulnerability to Verizon on October 14, and Verizon had tested Verizon's patch as working by November 5.
Just about a year ago we noted how Randy Westergren, senior software developer with XDA-Developers, had discovereda flaw in Verizon's MyFiOS app that exposed some Verizon customer information. The flaw also allowed attackers to view customer e-mails -- and send e-mails from those accounts. While that flaw was resolved, Westergren this week stated he found another vulnerability that piggybacked off of the original flaw.
His original discovery involved the fact that the Verizon REST API uses cookies for authenticating users.
By accessing his Verizon account via browser and then examining the REST API URL, data usually reserved for display in the app could be displayed in a browser. From there, Westergren used a loophole in the app's API authentication scheme, to create a malicious website capable of sending e-mails from other Verizon FiOS users to his own account (aka a cross-site request forgery, or CSRF attack).
"This means an attacker could have very easily leveraged this vulnerability to hijack another user’s account by simply having them visit a malicious page," he notes.
Westergren says despite the flaw, Verizon has been very responsive when approached with these vulnerabilities.
"I’ve always had a great experience when reporting vulnerabilities to Verizon and this disclosure was not much different," he said. "Verizon’s security team immediately took the report seriously and implemented steps to mitigate the impact."
Westergren said he reported the vulnerability to Verizon on October 14, and Verizon had tested Verizon's patch as working by November 5.