Vulnerability In Security Service Lifelock Could Have Exposed Logins And Passwords

TechCrunch

A vulnerability discovered by security researchers Eric Taylor and Blake Welsh could turn an innocuous “refer-a-friend” page into an official-looking phishing page. By adding encoded HTML to the end of a basic URL, Taylor and his partner were able to simulate a Lifelock login page that could potentially grab usernames and passwords from unsuspecting users.

Lifelock closed the vulnerability, which is called a cross-site scripting attack, after Taylor notified the company. Lifelock has over 3 million customers with revenue of $369.65 million. As of 2010 Lifelock’s CEO Todd Davis has been targeted for identity theft over a dozen times.

As shown in the screenshot above, Taylor was able to simulate a very simple login page by appending a long string of characters to the refer-a-friend URL on Lifelock. The “name” field could in fact contain any data, including joke names or more complex HTML.

“I found it while simply browsing…

View original post 162 more words

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s