Verizon isn't making many friends when it comes to keeping private information private. Just two days after news broke that Verizon Wireless is collecting and in some cases selling web browsing info, its parent company has been given a black eye for insecure practices associated with the FiOS Internet service. Security researcher Randy Westergren discovered a way to access any FiOS user's Verizon email account by using the mobile API.

unnamed (11)

The message is, "You really shouldn't be using this app. Or the free email we gave you. At all."

Westergren's discovery and his explanation are highly technical, but what it boils down to is that he could substitute the username (and only the username) of a Verizon FIOS email user in a particular API script in order to access that account. This allowed him to retrieve email subjects and senders without ever having to authenticate with a password or other security token. This was the same API being used in the Verizon My FiOS app, which has access to the service's email accounts.

To Verizon's credit, the problem was fixed (and confirmed as fixed) just two days after the researcher alerted the company security team. lesson here is: don't give your email (or any other personal information) to companies that you don't trust, at least not if you can possibly avoid it.

Update: A Verizon representative contacted us to clarify the position of encryption on email services and the My FiOS app. The email service itself uses SSL/TLS encryption with HTTPS to and from the mobile app, and so after the fix mentioned in the story above, information in the API session should only be visible to the authorized user.

Source: Randy Westergren