Verizon races out fix for email security flaw

A security researcher has discovered a vulnerability tied to a Verizon application that would have allowed any user access to any Verizon email account -- and a fix has been rapidly pushed out.

As reported by ThreatPost on Monday, Verizon pushed a fix out for the flaw last week after security researcher Randy Westergren Jr. disclosed the vulnerability in the application program interface, or API, used by Verizon's My Fios mobile app. The flaw was severe enough that the telecommunications giant patched the problem within 48 hours. Fios is Verizon's bundled phone, Internet, and television service.

The security researcher, who is a Verizon Fios customer, disclosed details of the vulnerability once a fix was issued for customers. Westergren reported that he discovered the vulnerability, which would allow a user to access any Verizon email account, scan the inbox, read individual emails and send messages. This is a severe problem because so many people connect other accounts to their email addresses -- ranging from social media accounts to e-commerce and banking -- and Verizon is a large provider of Web and email services in the United States.

Westergren realized that playing with different parameters also allowed him to send and delete email from another user's email inbox. The security researcher recognized how serious this flaw could be and contacted Verizon's corporate security after failing to get a worthwhile response on Twitter. Within two days, a fix had been prepared, confirmed by the researcher and released to the public.

"Verizon's security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. "They were very responsive during this process and even arranged for a free year of Fios Internet service as a token of their gratitude."