Oh, the irony! Identity theft protection service LifeLock has exposed millions of their customers’ email addresses. And according to Krebs on Security, the exploitable vulnerability was so basic that it seems “that whoever put it together lacked a basic understanding of Web site authentication and security”! Not exactly what you want to hear about a company you are trusting to keep your identity, you know, secure.
According to Krebs on Security, the email address vulnerability, which was discovered (and fixed) this past week, “allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.”
Of course, email addresses are easily exploited. With an email address and the knowledge that the person at the other end of that email address already has an existing relationship with LifeLock, it would not be hard for a scammer to trick that person into revealing even more personal details, leading to, wait for it, identity theft. The very thing from which LifeLock’s customers are paying LifeLock to protect them!
Moreover, many email addresses take the form of firstname.lastname@somewhere. With the email address and name, it is very easy for someone to pretend to be that person which is, wait for it, identity theft!
This is not the first time that we have written about LifeLock being in trouble. In 2010 LifeLock settled a lawsuit brought against them by the Federal Trade Commission, about which then FTC Chairman Jon Leibowitz said “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
|Get notified of new Internet Patrol articles for free!
|Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Well, it seems they had another big hole.
Now, it would have been bad enough if the big hole was that email addresses were exposable. However, the reason that the email addresses were discoverable is because each subscriber’s subscriber key (i.e. their unique identifier) was displayed in plain site, unencrypted, in the browser address bar.
For example, you would see in your browser address bar:
|We know you're sick of ads on websites. But we still need to pay to keep the lights on for you. So instead of huge ads and video ads, we use smaller, plainer ads. Still, if you'd like to support the Internet Patrol but not the ads, please consider supporting us here:|
(12345678 is just a random number we made up)
By entering that address in the browser, you would see that Lifelock customer’s full email address, in the clear, because that address would take you to customer #12345678’s email preference center at LifeLock, where you could also unsubscribe them. While that in and of itself is not a big deal, imagine being a LifeLock customer, and getting an email which looks exactly as if it’s from LifeLock, and saying something like:
“We recently noticed some unusual activity in your LifeLock account. Please change your password here: (insert cloaked URL made to look like a LifeLock URL, but actually going to the bad guys’ password grabber). This email was sent by LifeLock to (customer’s email address). Your LifeLock subscriberkey is 12345678.”
For sure that would fool some people into giving up their passwords.
Now, we hasten to add that at this point there does not seem to be any evidence that this was exploited before the vulnerability was closed, however there is a lot of evidence that this obvious vulnerability should not happen on any commercial site, let alone the site of a company whose entire business is based on protecting their customers’ identities!
By the way, you can read Krebs’ full expose on this here: LifeLock Bug Exposed Millions of Customer Email Addresses
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!