What happens when a company you trust to safeguard your identity actually ends up being the very organisation that leaves you vulnerable to attack?
That's what customers of identity theft protection company LifeLock appear to be discovering, after researchers learned that a flaw in the company's website could be leaving customers vulnerable to spearphishing attacks.
The flaw was first reported by security expert Brian Krebs, who was alerted to it by US researcher Nathan Reese. Reese discovered the flaw after clicking on an unsubscribe link in one of LifeLock's emails, which took him to a page where he could update his email marketing preferences.
The URL for this preference centre featured a unique subscriber key, a numerical identifier used by LifeLock to internally catalogue customers. By changing this value in the URL, Reese was able to access the preference centre for other LifeLock subscribers - which meant that he could also see their email addresses.
"It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber," Krebs said. "The design of the company's site suggests that whoever put it together lacked a basic understanding of website authentication and security."
"If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them," said Reese. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spearphishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."
Readers may remember LifeLock as the company whose former CEO Todd Davis was so confident in its services that he ran numerous ads featuring his genuine social security number. He had his identity stolen at least 13 times.
LifeLock is now owned by security firm Symantec following a $2.3 billion acquisition in 2016, and as of January 2017, the company had more than 4.5 million subscribers. IT Pro has approached Symantec for comment.
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Google pays largest-ever bug bounty worth £500,000News The company remained tight-lipped over the exploit itself, but speculation is possible given its publicly available rewards breakdown
-
The IT Pro Podcast: The front line of fraud techIT Pro Podcast With tools such as deepfakes, the future of fraud tech relies on cutting edge AI as much as good security practice
-
Podcast transcript: The front line of fraud techIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
OpenSSL 3.0 vulnerability: Patch released for security scareNews The severity has been downgraded from 'critical' to 'high' and comparisons to Heartbleed have been quashed
-
Hacker steals $566 million from Binance Bridge using proof-forgery exploitNews An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
-
CISA issues fresh orders to polish security vulnerability detection in federal agenciesNews The move marks the latest step in the cyber security authority's ongoing ambition to minimise the government's exposure to attacks
-
Mozilla patches high-severity security flaws in new ‘speedy’ Firefox releaseNews Numerous vulnerabilities across Mozilla's products could potentially lead to code execution and system takeover
-
WordPress plugin vulnerability leaves sites open to total takeoverNews Customers on WordFence's paid tiers will get protection from the WPGate exploit right away, but those on the free-tier face a 30-day delay
