Verizon has fixed a critical vulnerability in its My FiOS app that made it possible to read and send messages from any Verizon user’s email account, according to a Sunday post by Randy Westergren, the security researcher and Verizon FiOS customer who identified the bug.
Westergren – who was investigating the My FiOS app for Android – notified Verizon on Jan. 14, and a fix was released on Jan. 16. He noted how accessing an email account can be used to access other accounts, such as Facebook or banking.
One commenter pointed out that Verizon is using unencrypted HTTP to transmit email and other sensitive information. In a statement sent to Forbes, Verizon said it does encrypt all email, the Android version of the app was unintentionally not set up for HTTPS, and a fix has been pushed.