In a revelation that is sure to send shockwaves through the cybersecurity community, investigative journalist Brian Krebs has reported a vulnerability on LifeLock’s website permitted the indexing of email addresses associated with millions of its customer accounts.
The bug makes it possible to unsubscribe LifeLock users from company dispatches, but of much more serious import here is the inexpert way the LifeLock leaked what is an increasingly vulnerable piece of personally identifiable information: namely, email addresses.
LifeLock’s parent company, Symantec, considered the revelation to be serious enough to take LifeLock’s estimated 4.5 million customers accounts offline after the story broke.
According to Krebs, “the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.” Nathan Reese, a 42-year-old freelance security researcher based in Atlanta who is also a former LifeLock subscriber discovered the flaw:
Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.
Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key. From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.
“If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said. “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
“For a company that aggressively markets its ability to protect consumers from identity-related crime, the revelation coming from an outside probe and not through an internal discovery process is a matter of grave concern,” CyberScout Chairman and founder Adam Levin commented.
That Brian Krebs was the chosen outlet should be no surprise.
“Brian Krebs continues to be at the center of cyber universe surfacing these types of incidents, CyberScout CEO Matt Cullina said. “He cultivates great sources, and doesn’t just take their word for findings, but does his own research and confronts companies head on. He’s a true asset to the cybersecurity community.”
