Verizon has rushed an update to its FiOS-branded email service to patch a security vulnerability which could have allowed attackers to gain access to anyone’s account.
A researcher disclosed the vulnerability, which was caused by a problem with the API used by the My FiOS application to fetch user information, to Verizon on January 14. The issue was reportedly fixed less than 48 hours after the company first learned of it.
It’s clear that Verizon took the issue seriously — as well it should, considering the amount of information sent to consumers’ email addresses every single day. As ThreatPost explained in an article about the vulnerability’s potential ramifications:
The vulnerability allowed an attacker the ability not just to access the inbox and read messages, but also send and delete. Given that password resets are often sent over email, an attacker could leverage that access to gain access to other online services such as banking or social media.
The episode also demonstrates the risk associated with many security tools. It doesn’t matter how secure other websites are if important tools like email addresses, phone numbers, and the like are compromised. Once those go, everything else goes.
That’s a scary thought. But at least Verizon promptly responded to warnings about this vulnerability — unlike other companies, which may learn about a problem and not even attempt to fix it a year-and-a-half later, despite repeated warnings from researchers.
Source : Verizon fixes a critical security flaw in 48 hours instead of lounging around for over a year, Nathaniel Mott ( http://pando.com/2015/01/20/verizon-fixes-a-critical-security-flaw-in-48-hours-instead-of-lounging-around-for-over-a-year/ )