Listen up, Microsoft -- Verizon fixes critical email security flaw in two days
When it comes to fixing security problems, it's better for everyone involved if a patch can be released as quickly as possible. A few days ago, a critical vulnerability was discovered in Verizon's FiOS app by Randy Westergren when he found it was possible to access the mail account of any Verizon customer with relative ease.
In stark comparison to the unhurried approach adopted by Microsoft to fixing problems identified in Windows -- on more than one occasion failing to hit a public disclosure deadline set by Google -- Verizon acknowledged, investigated and fixed the problem within two days. The problem itself was worrying, but the speed of reaction is impressive.
Back on January 14, Randy discovered that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The discovery came about when analyzing traffic generated by the Android app. An API call made clear references to Randy's username, and a quick tweak was all it took to access other people's inboxes.
The security researcher took the time to put together a proof of concept having determined that there was serious cause for concern, and then sent this to Verizon. The company acknowledged receipt of the notification the same day, followed up the next day, and had the problem fixed the next. That's precisely how it should be done: quickly and efficiently. Microsoft could learn a lot.
Google has been berated for publically detailing information about vulnerabilities in Windows, and naming itself arbiter of security. While adopting Google's attitude does run something of a risk of opening up users to danger, having a three month deadline in place to give Microsoft (and other companies -- this is not just about Microsoft) time to patch is more than reasonable. I have applauded Google for continuing to publish details of security problems after first warning Microsoft, and I applaud Verizon for addressing an issue in such a timely fashion.
That's not to say that Verizon is perfect -- far from it many would say. As a commenter on Randy's blog points out, the company's app uses HTTP rather than HTTPS to transmit sensitive data, so perhaps this should be next on the list of things that are given attention.