Verizon E-Mail Vulnerability Left All Users’ Messages At Risk

verizongrabWhile many people no longer use the free e-mail accounts made available by their Internet service providers, there are still millions of Americans who do. And up until last week, a reported vulnerability in Verizon’s My FiOS app that left all Verizon e-mail users’ messages at risk of being read by complete strangers.

On his blog, software developer Randy Westergren details how he recently discovered a vulnerability in the request the app makes to the Verizon servers when populating the app’s inbox preview. By going into that request and simply changing the user ID to another user’s account name, he could access their inbox. Further mucking around allowed him to send messages as that user.

“The next step was to reach out to Verizon,” writes Westergren. “Being such a large company, I thought it was probably going to be difficult to get in contact with the right people.”

Twitter was no use, so he tried contacting Verizon’s corporate security team directly and ended up getting a timely response.

Within two days, Verizon had patched the exploit, which is good news. But as Thomas Fox-Brewster points out on Forbes.com, there is still the issue that Verizon doesn’t provide end-to-end encryption of its e-mails.

UPDATE: A rep for Verizon issued this statement clarifying the encryption issue on its e-mails —

Please be aware that Verizon does provide end-to-end encryption security for our customers’ email messages while in transit – as long as the other party’s email service provider also does so. If you visit the home page for Verizon Webmail, you’ll see the HTTPS marker in its URL. Our customers’ privacy and security is incredibly important to us.