A Verizon customer who decided to investigate the private API powering the company's My FiOS Android app discovered a major vulnerability that allowed him to access any other customer's email account.
On his blog, security researcher Randy Westergren detailed how he noticed that an API request to retrieve the emails in his inbox included two references to his username. Westergren assumed that replacing the username with another would have no effect. "Altering the uid parameter and specifying another username shouldn’t have an effect, since I’m logged in and my session is maintained through my cookies," he wrote.
But that wasn't the case. "Substituting the uid with the username of another email account indeed returned the contents of their inbox," Westergren was shocked to discover. What's more, he found that other API methods, including a method used to send emails, were vulnerable to the same simple flaw, giving him the ability to send emails from other user accounts.
Recognizing that he had stumbled upon a massive security issue, Westergren rushed to prepare a proof-of-concept Python script to send to Verizon. "Being such a large company, I thought it was probably going to be difficult to get in contact with the right people," he explained. "I tried their Twitter account, but their customer service reps weren’t very helpful. After reading [an] article, I figured reaching out to someone at CorporateSecurity@verizonwireless.com would at least point me in the right direction. They actually responded very quickly and confirmed they were the right group to report the issue to."
Westergren received a response from Verizon the same day he submitted his report, and the issue was fixed and confirmed fixed within two days. In exchange for his help, Verizon offered Westergren a free year of Internet service.
The Good Side of Private API Snooping
Verizon's prompt response to the security vulnerability Westergren discovered is commendable. Companies have an obligation to do right by their customers, and addressing issues that put their customers' data at risk demands the kind of reaction Verizon provided.
But the nature of this security vulnerability also demonstrates the importance of making security a priority from start to finish. Specifically, it appears that Verizon failed to follow best practices for authentication. Submitting usernames as a parameter — over an unencrypted connection no less — and not performing basic checks to ensure that the client requesting data for a user was authorized to view that user's data is an embarrassing and frankly inexcusable faux pas.
Fortunately for Verizon, the ease with which its private API could be inspected made it possible for somebody like Westergren to identify a flaw that, in the wrong hands, could have been used to wreak havoc. This serves as a reminder that as companies grapple with protecting their private APIs, they should be careful about mistaking obscurity for security. As Aldo Cortesi, the creator of mitmproxy, one of the most popular tools for reverse engineering private APIs, recently told me, "APIs, like crypto implementations, are at their best when they’re developed openly and widely scrutinized."