Symantec's ID theft prevention subsidiary LifeLock suffered from some embarrassing optics on Wednesday after it was reported that an error in its e-marketing unsubscribe process left the email addresses of its customers exposed to potential data theft and tampering.
Symantec claims there's no evidence of malicious activity stemming from the flaw, but in theory potential attackers could have obtained the publicly available addresses and then and developed spear phishing campaigns to target the LifeLock customers who owned them.
Security blogger Brian Krebs, who broke the news about the flaw, reported on Wednesday via his blog the bug resided within the LifeLock website; however, Symantec has claimed in response that the error actually existed on a marketing page managed by an unnamed third party partner. The bug has now been fixed.
Atlanta-based security researcher Nathan Reese is credited with discovering the flaw after he tried to unsubcribe from a marketing email he had received from LifeLock. Reese reportedly realised that the link in the unsubscribe page's address bar ended with "subscriberkey=" followed by a unique number that corresponded specifically to him. The numbers appeared to be sequential, meaning an attacker could have written a script to increment through the email addresses of every subscriber.
Reese tried it himself, nabbing 70 addresses before shutting down his experiment. By then, Reese understood the implications. "If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them: That they're a LifeLock customer and that I have those customers' email addresses," said Reese, as reported by Krebs. "That's a pretty sharp spear for my spear phishing right there."
Other experts agreed with Reese's assessment. "While any criminal enterprise could, and probably does, send out Lifelock phishing e-mails, this ability to cull an actual customer e-mail list from their site is particularly meaningful because this is a group of customers that are already worried about fraud and have invested in a product to try to protect themselves that has ultimately failed to do so," said Adam Levin, founder of CyberScout, in comments emailed to SC Media.
Olivier Lemarié, CTO at Vade Secure said phishing emails in this situation might "play on [subscribers'] fear of losing identity theft protection," by falsely suggesting that their LifeLock service was suspended over a payment issue, before directing users to a fake payment page.
Other experts panned Symantec for what they describe as a fairly basic security mistake.
"This is something you might expect on the e-commerce site for a small local boutique business. This is not what we should expect from a marketing juggernaut owned by one of the world's largest anti-virus firms, doing business as a directo-consumer identity theft prevention company," said Fred Kneip, CEO at CyberGRX.
Neill Brookman, head of pre-sales in EMEA at Janrain, said "Using a sequential ID for each consumer record rather than a GUID suggests they have poor development standards and no proper testing or quality control. The use of a sequential ID or email should never be used as an identifier in an application, as it is open to phishing attacks and very insecure."
Chris Olson, CEO of the Media Trust, said this point raises an important issue of insecure web application development. "Too many website applications are built with little thought on how to prevent being hacked," said Olson. "LifeLock's web app vulnerability appears to have resulted from developers' oversight and mirrors many other incidents in the past year alone, where security features and procedures to reinforce them receive little attention. Developers should make security a priority throughout a product's lifecycle stages, from concept to manufacturing to retirement. Website operators should police all their website third parties to ensure all their activities fall within policies and scan their sites to identify and obstruct unauthorised code."
Paul Bischoff, privacy advocate at Comparitech.com, added that while the third-party vulnerability was "a bit embarrassing" for a security company the likes of Symantec, the problem "wasn't particularly severe and was patched before any real harm was done," at least according to LifeLock and Symantec.
Calling the mistake a "poor programming practice," Juniper Networks' head of threat research Mounir Hahad said that while it's encouraging that the email addresses weren't paired with any customer names, "The trouble begins when these email addresses and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013. From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers."
Symantec has issued the following statement. "This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page."