Wednesday, 01 July 2015 11:23

Cross-Site Scripting Flaw found in US ID Protection Company LifeLock's site

Written by

Reading time is around minutes.

Irony is one of those things that is not appreciated by security guys. They do not find humor in it nor do they enjoy it when someone points an ironic situation involving them out. This has to be the case for the privacy company LifeLock. A pair of security researchers (Eric Taylor and Blake Welsh) have found an interesting feature in LifeLock’s web site. The flaw allows for a cross-site scripting attack to be used to do a fair amount of damage including injecting malware.

The flaw exists in the refer-a-friend portal on the site. The portal is exposed enough that all 300k+ users of LifeLock are open to the attack. Imagine going to a site that is supposed to protect you identity only to have your session hijacked and/or ransomeware dumped on your system. What is a little odd is that the flaw was there at all. Cross-Site scripting attacks are common and an identity protection site should have been able to notice this bug in the website.

The good news is that LifeLock patched the vulnerability within a few hours of it being disclosed. This is actually much faster than many other companies out there that take months to remediate security issues that are found by researchers.

Read 2561 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.