“This is a great example of how the general curiosity of the public makes the Internet safer for all users. It demonstrates the value of coordinated disclosure and open vulnerability acceptance by companies.
“In case of this particular vulnerability, ALL of Verizon’s customer email accounts were vulnerable. Moving at the speed of business, it can be hard for IT and Security teams to stay fully synchronized, making sure applications undergo sufficient vulnerability testing and certification before launch. The security team is often more frustrated by this than any other part of the organisation, especially when applications or web services like this API get launched without their review. The impact of a vulnerability like this can be devastating.
Free eBook: Modern Retail Security Risk – Get your copy now.
“In this case, a web service (also referred to as an API – Application Programing Interface) had been deployed unencrypted. While the service did require authentication, (It forced application users to identify themselves, logging in with a username and password.) it did not have authorisation controls in place. This basically means Bob could log into the web service, then ask for Ryan’s email… or any other Verizon user’s email address he knew.
“Thankfully, the researcher felt safe in reporting his finding to Verizon. The research community is often intimidated away from reporting vulnerabilities to companies due to confusing laws and corporate lawyers responding unfavourably to any external entity finding flaws that could affect the company’s public image.
“Randy Westergren (per his blog) believes in disclosure, apparently did a solid job communicating his finding, and provided a proof of concept exploit that effectively communicated and demonstrated the risk exposed by the vulnerable API. Kudos to Randy and Verizon for a textbook example of coordinated disclosure and for acting in the best interest of customers.”
By Trey Ford, Global Security Strategist, Rapid7
Rapid7’s mission is to develop simple, innovative solutions for security’s complex challenges. The company understands the attacker better than anyone and builds that insight into its security software and services. Rapid7’s IT security analytics solutions collect, contextualize, and analyze the security data users need to dramatically reduce threat exposure and detect compromise in real-time. They speed investigations so customers can halt threats and clean up systems fast. Unlike traditional vulnerability assessment or incident management, Rapid7 provides insight into the security state of your assets and users, across virtual, mobile, private and public cloud networks.
The company offers advanced capabilities for vulnerability management, penetration testing, endpoint controls assessment, and incident detection and investigation. Its attacker intelligence is informed by more than 200,000 members of the Metasploit community, the industry-leading Rapid7 Research Labs, and its experienced security services team. Rapid7 is trusted by more than 3,000 organizations across 78 countries, including more than 250 of the Fortune 1000.