The residential billing section of Verizon’s account portal for residential customers had a CORS misconfiguration issue which would have allowed another site in the same browser to download copies of bills in PDF format. The vendor has deployed a fix for this issue.
Because the vendor stopped responding, the issue is fixed and a year has passed, we are now disclosing this publicly.
Normal browser security mechanisms prohibit calls between websites not hosted on the same domain. An override mechanism exists for use cases where such functionality is desired called Cross Original Resource Sharing (CORS). This mechanism employs several headers to allows clients and server to signal each other when such functionality is desired. One of those headers is the “Access-Control-Allow-Origin” header sent by the server indicating which domains are allowed to access a given endpoint or API.
The billing download endpoint (“https://www.verizon.com/digitalservices/billing/billdownload/v1/downloadpaperpdf“) in Verizon’s residential control panel had a CORS misconfiguration. The “Acess-Control-Allow-Origin” header was not restricted to the sites operated by Verizon, but instead simply mirror the domain provided in the client’s request (via the “Origin” header). This could potentially allow other sites to access this endpoint and download the user’s bills in PDF format if they were logged in to the Verizon website at the same time.
This issue was tested on Firefox and it is not known if other browsers were also vulnerable.
Code To Replicate
The following code was used to replicate the issue originally:
This issue was reported to the vendor and a fix has been deployed.
Text of the advisory written by Y. Shafranovich.
2019-10-09: Initial report to the vendor
2019-10-08: Vendor requests POC, POC sent
2019-10-24: Pinged for status
2019-10-29: Issue still being investigated
2019-11-30: Pinged for status, issue still being investigated
2019-12-14: Pinged for status, issue still being investigated
2020-01-30: Vendor pinged for disclosure coordination
2020-01-31: Issue fixed, vendor asks for confirmation
2020-02-02: Fix confirmed, asked for disclosure coordination
2020-02-13: Vendor requests a copy of proposed advisory for review
2020-02-17: Draft advisory provided for review; vendor asks to remove their name from the advisory, request is denied; vendor stops responding
2021-03-03: Public disclosure