A vulnerability in Verizon’s webmail service could allow attackers to surreptitiously forward a victim’s emails to a different address.
There are several vulnerabilities in Verizon’s webmail portal, said researcher Randy Westergren. The most serious vulnerability was with the feature that allows users to forward all incoming emails to a specified address. When the user enables this feature, the forwarded emails do not appear in the normal Verizon inbox.
Analyzing the request sent when forwarding ends up activated and the response comes back from the server, Westergren found a userID parameter. These types of parameters often introduce insecure direct object reference (IDOR) vulnerabilities, where an attacker can access content they should not be allowed to access (e.g. a user account) simply by changing the value of the parameter.
Westergren found the value of the userID ended up associated with an internal Verizon ID. However, he found a way to look up the internal ID and obtain the mail ID for a specified email address by using a Verizon API.
Using this method, an attacker who possessed a Verizon email account could substitute the value of the userID in their own request with the ID of a targeted user in order to forward all the victim’s emails to an arbitrary email address.
“Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc,” Westergren said in a blog post.
The researcher developed a proof-of-concept (PoC) he sent to Verizon along with a vulnerability report on April 14. Verizon patched the flaw one month later. While analyzing the issue, the company identified similar problems in other requests as well.