Theft Protection Service Puts Users' Identities in Jeopardy

A service known to protect the identities of users is now realizing it might have made its users vulnerable to attack.

• By Sydny Shepard
• Jul 27, 2018

LifeLock's identity theft protection service suffered from a security flaw that made users' identities vulnerable to potential attackers. The even forced its parent company, Symantec, to pull part of its website down to fix the issue after it was notified by KrebsOnSecurity.

“It is a bit ironic that LifeLock is a security company focused on helping 4.5 million consumers protect their online identities," Pravin Kothari, CEO of CipherCloud said. "They need to be on top of cyber defense best practices. This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse."

According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability when he received a newsletter from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

“This is a poor programming practice, not a misconfiguration," Mounir Hahad, head of threat research at Juniper Networks said. "On a positive note, it’s good that only email addresses were leaked. These are still valuable, but not as valuable as if names were associated with them. Single email addresses with names, or even a few hundred, might not have much street value on the dark web, but a list of several million could fetch a few thousand dollars."

Hahad explains that the trouble begins when email address and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013.

"From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers," Hahad said.

How could this have been avioided? Kothari says LifeLock should do what the financial industry does.

"They regularly hire white hat hackers to penetration test their network and external defenses," Kothari said. "This is exactly the sort of incorrect set-up and misconfiguration a reputable penetration tester would have likely discovered. It would have been quietly fixed by now - no harm, no foul. All of this hoopla over the huge potential exposure of LifeLock customer data was totally avoidable.”