LifeLock Bug: Millions of Email Addresses Were Left out in the Open
We have discussed identity theft protection on these pages, and we have hopefully helped you understand what the service offers, what it doesn't offer, and under which circumstances it can be beneficial to you. Today, we'll need to talk about identity theft protection once again, but this time, the reasons will be different.
Incorporated some thirteen years ago and owned by Symantec, LifeLock is a provider of identity theft protection services. Nathan Reese, a freelance security researcher, apparently used LifeLock a few years ago, and he recently noticed that he is still receiving emails urging him to renew his subscription. He did what many people would do – he hit the "Unsubscribe" link. He was taken to the kind of marketing surveys you get so frequently when you're trying to stop using a particular online service, and that's where Reese's attention was piqued.
He noticed that the URL in the address bar ended with "subscriberkey=" followed by an eight-digit number. He tried changing the number, and, lo and behold, he ended up on the "Unsubscribe" page of another user which exposed their email address. Curious, Reese wrote a simple script that automatically churned through a sequence of numbers, and in no time, he had about 70 email addresses of LifeLock customers.
He then got in touch with Brian Krebs who, in turn, contacted LifeLock, and within hours, the issue was resolved. Later, Krebs publicly broke the story, and although it's now in the past, it still attracts some controversy.
Not everyone seems to agree on how bad the bug was
On Friday, Symantec issued a statement which, if the title is anything to go by, should explain how they resolved the problem. In reality, it just thanks Brian Krebs for the responsible disclosure and tries to imply that the issue wasn't that serious.
They pointed out that the "Unsubscribe" system is managed by a third party and that it exposed nothing more than the email address of their customers. They also said that apart from the 70 emails collected by Reese, they have no evidence of more data being harvested. It is true that the bug didn't expose any particularly sensitive information, but this doesn't mean that LifeLock should be let off lightly.
First of all, the irony of an identity theft protection company failing to secure its customers' data is undeniable. It can also be argued that what LifeLock describe as a "misconfiguration" is, in fact, a serious design flaw that could have enabled a simple yet devilishly effective resource enumeration attack that could have collected the email addresses of millions of people. This, of course, would have all ended with a large spearphishing campaign, and the arguments that a third party is managing the vulnerable system don't really hold water because, at the end of the day, people are trusting their data with LifeLock, not an as yet unnamed third party.
Telefonica, one of the biggest telecommunications providers in Spain, was found to have a similar flaw in its systems not more than two weeks ago. It allowed for a lot more information to be exfiltrated, but we reckon that the faces at LifeLock might be just a shade redder, as this is a company that surely should know better.