How? By having a vulnerability “on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.”
Krebs didn’t discover this security. The credit goes to Nathan Reese, a freelance security researcher and former LifeLock subscriber. Reese found that clicking the “unsubscribe” link at the bottom of a LifeLock email brought up a page showing his subscriber key. Using that as a starting point, Reese wrote a proof-of-concept script that used key numbers to pull down user email addresses.
Armed with those, Reese observed, “If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there.”
Juniper Networks‘ head of threat research, Mounir Hahad, commented, “This is poor programming practice, not a misconfiguration.” The real trouble begins, he continued, “when these email addresses and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013. From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers.”
Symantec, which bought LifeLock in 2016, quickly shifted the blame on another company. In a statement, Symantec claimed, “This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.”
That would be, because, no one else had used that security hole yet. As an excuse, it doesn’t cut it. It’s nice that the brakes were fixed before there was an accident, but for some time, LifeLock had partnered with a company that didn’t provide any security brakes.
The site, while run by a third party, also certainly appears to be an official LifeLock site. In addition, several eagle-eyed commenters noticed from the LifeLock screenshots that the site seems to have a misconfigured Transport Layer Security (TLS) certificate
Others saw the site appears to have not been updated since 2015. Has this hole been there for three years? Maybe. Some people might say that, since there was no harm, there was no foul, and that there’s really no security news here.
Wrong. As Krebs said in a follow-up note, “It’s newsworthy because a company like this shouldn’t be making such Internet Security 101 mistakes, and the fact that they did in this case raises legitimate questions about whether they take user account security seriously.”
I can only add that the LifeLock business plan’s reason to exist is to protect your identity. If it fails on something as fundamental as this, you really must ask: “How safe is it?”