A vulnerability discovered by security researchers Eric Taylor and Blake Welsh could turn an innocuous “refer-a-friend” page into an official-looking phishing page. By adding encoded HTML to the end of a basic URL, Taylor and his partner were able to simulate a Lifelock login page that could potentially grab usernames and passwords from unsuspecting users.
Lifelock closed the vulnerability, which is called a cross-site scripting attack, after Taylor notified the company. Lifelock has over 3 million customers with revenue of $369.65 million. As of 2010 Lifelock’s CEO Todd Davis has been targeted for identity theft over a dozen times.
As shown in the screenshot above, Taylor was able to simulate a very simple login page by appending a long string of characters to the refer-a-friend URL on Lifelock. The “name” field could in fact contain any data, including joke names or more complex HTML.
“I found it while simply browsing LifeLock’s website,” said Taylor. “While viewing the page ‘Refer A Friend’ on LifeLock.com, I saw that a specific part of the page was outputting colored text, so I tested to see if the page was allowing any user to modify the URL and inject HTML code into the website’s URL parameters. It was in fact vulnerable to an XSS attack.
“While this vulnerability was left open, all of LifeLock’s 3,000,000+ customers, including potential customers (from the referral system), were left vulnerable to a slew of attacks, including: phishing campaigns, session hijacking, malware and spam campaigns, and many other forms of Cross-site scripting based attacks,” he said.
Taylor, aka Cosmo The God, is chief information security officer of Cinder, and Welsh is a student at Anne Arundel Community College in Maryland. They have previously discovered basic but dangerous vulnerabilities at Paypal, Charter, and Verizon. Taylor wrote about the exploit for his blog.
A Lifelock representative said they addressed the issue immediately.