Application security, Patch/Configuration Management, Vulnerability Management

Clear path to Verizon email accounts patched

A vulnerability that could have allowed attackers to hijack incoming emails from Verizon users' inboxes without their knowledge has been detected by security researcher Randy Westergren, and patched by the communications company.

By substituting a friend's userID into the parameter settings of his own Verizon account, Westergren proved he was able to alter the forwarding address for any user account.

"Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails," he wrote.

This is, he wrote, an "extremely dangerous situation" as primary email accounts are commonly used to update passwords for other accounts.

After he sent Verizon a proof-of-concept, the company issued a patch, although citing a recent strike, slower than Westergren would have liked.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.