Identity theft protection firm 'exposes customers to phishing attacks'

LifeLock web authentication blunder leaves subscriber email addresses exposed

Leaky bucket

What happens when a company you trust to safeguard your identity actually ends up being the very organisation that leaves you vulnerable to attack?

That's what customers of identity theft protection company LifeLock appear to be discovering, after researchers learned that a flaw in the company's website could be leaving customers vulnerable to spearphishing attacks.

The flaw was first reported by security expert Brian Krebs, who was alerted to it by US researcher Nathan Reese. Reese discovered the flaw after clicking on an unsubscribe link in one of LifeLock's emails, which took him to a page where he could update his email marketing preferences.

Advertisement - Article continues below

The URL for this preference centre featured a unique subscriber key, a numerical identifier used by LifeLock to internally catalogue customers. By changing this value in the URL, Reese was able to access the preference centre for other LifeLock subscribers - which meant that he could also see their email addresses.

"It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber," Krebs said. "The design of the company's site suggests that whoever put it together lacked a basic understanding of website authentication and security."

"If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them," said Reese. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spearphishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Readers may remember LifeLock as the company whose former CEO Todd Davis was so confident in its services that he ran numerous ads featuring his genuine social security number. He had his identity stolen at least 13 times.

LifeLock is now owned by security firm Symantec following a $2.3 billion acquisition in 2016, and as of January 2017, the company had more than 4.5 million subscribers. IT Pro has approached Symantec for comment.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020
Election officials are vulnerable to phishing attacks, report warns
phishing

Election officials are vulnerable to phishing attacks, report warns

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020