Results 1 to 3 of 3

Thread: LifeLock Bug Exposed Millions of Customer Email Addresses

  1. #1

    LifeLock Bug Exposed Millions of Customer Email Addresses

    Identity theft protection firm LifeLock - a company that’s built a name for itself based on the promise of helping consumers protect their identities online - may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.
    The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.


    LifeLock’s Web site exposed customer email addresses by tying each customer account to a numeric “subscriberkey” that could be easily enumerated. Pictured above is customer number 55,739,477.



    Pictured above is a redacted screen shot of one such record (click the image to enlarge). Notice how the format of the link in the browser address bar ends with the text “subscriberkey=” followed by a number. Each number corresponds to a customer record, and the records appear to be sequential. Translation: It would be trivial to write a simple script that pulls down the email address of every LifeLock subscriber.
    Security firm Symantec, which acquired LifeLock in November 2016 for $2.3 billion, took LifeLock.com offline shortly after being contacted by KrebsOnSecurity. According to LifeLock’s marketing literature, the company has more than 55 million customer accounts.
    KrebsOnSecurity was alerted to the glaring flaw by Nathan Reese, a 42-year-old freelance security researcher based in Atlanta who is also a former LifeLock subscriber. Reese said he discovered the data leak after receiving an email to the address he had previously used at LifeLock, and that the message offered him a discount for renewing his membership.
    Clicking the “unsubscribe” link at the bottom of the email brought up a page showing his subscriber key, which was in the 55 million ballpark (55739477, to be exact). From there, Reese said, he wrote a proof-of-concept script that began sequencing numbers and pulling down email addresses. Reese said he stopped the script after it enumerated approximately 70 emails because he didn’t want to set off alarm bells at LifeLock.
    “If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them,” Reese said.
    “That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”


    LifeLock’s Web site is currently offline.


    Misconfigurations like the one described above are some of the most common ways that companies leak customer data, but they’re also among the most preventable. Earlier this year, KrebsOnSecurity broke a story about a similar flaw at Panerabread.com, which exposed tens of millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card.

    https://www.zerohedge.com/news/2018-...mail-addresses
    Never attempt to teach a pig to sing; it wastes your time and annoys the pig.

    Robert Heinlein

    Give a man an inch and right away he thinks he's a ruler

    Groucho Marx

    I love mankind…it’s people I can’t stand.

    Linus, from the Peanuts comic

    You cannot have liberty without morality and morality without faith

    Alexis de Torqueville

    Those who fail to learn from the past are condemned to repeat it.
    Those who learn from the past are condemned to watch everybody else repeat it

    A Zero Hedge comment



  2. Remove this section of ads by registering.
  3. #2
    Interesting. I've had the service a couple years and didn't know it was such a shoddy org. I'm going to have to reconsider my membership.
    Quote Originally Posted by Torchbearer
    what works can never be discussed online. there is only one language the government understands, and until the people start speaking it by the magazine full... things will remain the same.
    Hear/buy my music here "government is the enemy of liberty"-RPEphesians 6:12 For our struggle is not against flesh and blood, but against the rulers, against the authorities, against the powers of this dark world and against the spiritual forces of evil in the heavenly realms.

  4. #3
    Their entire business model has been exposed recently:




Similar Threads

  1. Replies: 1
    Last Post: 10-31-2013, 02:24 AM
  2. Security hole in Healthcare.gov exposed user email addresses
    By aGameOfThrones in forum U.S. Political News
    Replies: 0
    Last Post: 10-30-2013, 06:59 PM
  3. Email addresses
    By FriedChicken in forum Indiana
    Replies: 1
    Last Post: 05-13-2011, 07:19 PM
  4. Universities Could Make Millions Selling Access, Addresses To Bank Of America
    By bobbyw24 in forum Individual Rights Violations: Case Studies
    Replies: 0
    Last Post: 06-08-2010, 10:10 AM
  5. Anyone have the email addresses for
    By MsDoodahs in forum Grassroots Central
    Replies: 1
    Last Post: 11-05-2007, 12:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •