A vulnerability that could have allowed attackers to hijack incoming emails from Verizon users’ inboxes without their knowledge has been detected by security researcher Randy Westergren, and patched by the communications company.
By substituting a friend’s userID into the parameter settings of his own Verizon account, Westergren proved he was able to alter the forwarding address for any user account.
“Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails,” he wrote.
This is, he wrote, an “extremely dangerous situation” as primary email accounts are commonly used to update passwords for other accounts.
After he sent Verizon a proof-of-concept, the company issued a patch, although citing a recent strike, slower than Westergren would have liked.