Oh, the irony! Identity theft protection service LifeLock has exposed millions of their customers’ email addresses. And according to Krebs on Security, the exploitable vulnerability was so basic that it seems “that whoever put it together lacked a basic understanding of Web site authentication and security”! Not exactly what you want to hear about a company you are trusting to keep your identity, you know, secure.
According to Krebs on Security, the email address vulnerability, which was discovered (and fixed) this past week, “allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.”
Of course, email addresses are easily exploited. With an email address and the knowledge that the person at the other end of that email address already has an existing relationship with LifeLock, it would not be hard for a scammer to trick that person into revealing even more personal details, leading to, wait for it, identity theft. The very thing from which LifeLock’s customers are paying LifeLock to protect them!
Moreover, many email addresses take the form of firstname.lastname@somewhere. With the email address and name, it is very easy for someone to pretend to be that person which is, wait for it, identity theft!
This is not the first time that we have written about LifeLock being in trouble. In 2010 LifeLock settled a lawsuit brought against them by the Federal Trade Commission, about which then FTC Chairman Jon Leibowitz said “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
Well, it seems they had another big hole.
Now, it would have been bad enough if the big hole was that email addresses were exposable. However, the reason that the email addresses were discoverable is because each subscriber’s subscriber key (i.e. their unique identifier) was displayed in plain site, unencrypted, in the browser address bar.
For example, you would see in your browser address bar:
(12345678 is just a random number we made up)
By entering that address in the browser, you would see that Lifelock customer’s full email address, in the clear, because that address would take you to customer #12345678’s email preference center at LifeLock, where you could also unsubscribe them. While that in and of itself is not a big deal, imagine being a LifeLock customer, and getting an email which looks exactly as if it’s from LifeLock, and saying something like:
“We recently noticed some unusual activity in your LifeLock account. Please change your password here: (insert cloaked URL made to look like a LifeLock URL, but actually going to the bad guys’ password grabber). This email was sent by LifeLock to (customer’s email address). Your LifeLock subscriberkey is 12345678.”
For sure that would fool some people into giving up their passwords.
Now, we hasten to add that at this point there does not seem to be any evidence that this was exploited before the vulnerability was closed, however there is a lot of evidence that this obvious vulnerability should not happen on any commercial site, let alone the site of a company whose entire business is based on protecting their customers’ identities!
By the way, you can read Krebs’ full expose on this here: LifeLock Bug Exposed Millions of Customer Email Addresses