How LifeLock Exposed Your Email Address

Editor
Updated

UPDATED 4:30 p.m. Eastern Thursday with comment from LifeLock.

When a company specifically designed to prevent identity theft starts leaking your information, there's a moment of delicious irony — possibly followed by indignation. LifeLock, which is paid to keep its customers' personal data as safe as possible, had a bug on its website that let anyone see customer email addresses by just changing a couple of numbers in a web-browser address bar.

Credit: LifeLockCredit: LifeLock

This news broke after independent security reporter Brian Krebs was contacted by a reader of his Krebs on Security blog. The reader, Nathan Reese, is a security researcher who was once a LifeLock customer. An email from the company told Reese he could get a discount if he reactivated his subscription, and Reese, wanting to get off the LifeLock mailing list, clicked through. It was then that he noticed the URL.

MORE: The Worst Data Breaches of All Time

Right in the hyperlink, plain as day, was a field called "subscriberkey" with a number right next to it -- Reese's own subscriber email ID.

Reese swapped in random numbers and refreshed the page, which confirmed his suspicions: By hitting the right number in the hyperlink, Reese could see another LifeLock user's email address in plain text, as well as manipulate that user's email subscription preferences. Reese told Krebs that he collected about 70 email addresses in this manner just to prove that he could.

On the surface, this may seem like a relatively minor breach of privacy. After all, the only information exposed is a user's email address, and it's not at all clear whether anyone other than Reese had discovered or exploited this flaw. There is no clear link between the numbers in the subscriber key and the characters in an user's email address, and being able to read the email address did not give the viewer access to a user's LifeLock account.

But, as Krebs pointed out, "It would be trivial to write a simple script that pulls down the e-mail address of every LifeLock subscriber." (Notorious hacker Andrew Auernheimer, aka "Weev," spent more than a year in federal prison for doing just that in 2010 to an AT&T subscriber website that had an identical flaw.)

In other words: A savvy cybercriminal could have simply trawled the LifeLock subscriber page, increasing key numbers incrementally, until he or she had a database of everyone signed up to receive emails from the service. At that point, he or she could phish those people, a large number of whom would be actual LifeLock customers, with realistic facsimiles of the LifeLock login page, or spear-phish high-profile users for even more sensitive data.

"If I were a bad guy, I would definitely target your customers with a phishing attack, because I know two things about them," Reese told Krebs. "That they're a LifeLock customer and that I have those customers' email addresses. That's a pretty sharp spear for my spear-phishing right there."

There's not much for LifeLock users to do at this point, since the company has already addressed the flaw, taking down the entire website for several hours immediately after Krebs contacted the company and only putting it back up after the issue was fixed.

In a statement posted by Krebs, LifeLock and its owner, antivirus software maker Symantec, blamed the whole debacle on an unnamed third company that was handling the email-subscription page.

"Based on our investigation," the statement read, "aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page."

Still, it just goes to show you that not every identity-protection company can offer you complete privacy online. At the end of the day, there will always be a tradeoff between convenience and security; you can never have 100 percent of both.

UPDATE: A LifeLock spokeswoman contacted Tom's Guide to tell us that only the email-subscription page was taken offline, not the entire site. By the time we checked, the site was working properly, so we can't tell whether Krebs was accurate in saying the entire domain was taken down.