A Small Set of Android Apps Exposed the Data of Over 100 Million Users
Last updated September 25, 2021
With GDPR policies in place, the number of data leaks and breaches that are being revealed publicly have shot up over the past two months. The latest victim of a data leak is Symantec-owned ID theft protection firm LifeLock. The company boasts of over 4.5 million accounts according to the website literature. According to an Atlanta-based security researcher, Nathan Reese alerted KrebsOnSecurity about the vulnerability, and Symantec patched the exploit soon after.
According to Reese, the website developers lacked a basic understanding of security putting millions of users at risk. Anyone with a web browser could index all the email addresses of users along with other personal information and the subscriber numbers. It is unknown if ID thieves and phishers have already taken advantage of LifeLock’s website vulnerability.
Reese’s email to KrebsOnSecurity stated “If I were a bad guy, I would definitely target your customers with a phishing attack because I know two things about them. That they’re a LifeLock customer and that I have those customers’ email addresses. That’s a pretty sharp spear for my spear phishing right there. Plus, I definitely think the target market of LifeLock is someone who is easily spooked by the specter of cybercrime.”
Before the website was patched, anyone could click the unsubscribe button at the bottom of a marketing email sent by LifeLock. It would make the subscriber key visible, and sequencing the subscriber numbers would allow customer email addresses to be found. Reese managed to pull the data of 70 users using the method. The website misconfiguration may have already cost the company some goodwill, and users are not too happy with the situation.
What do you think about the vulnerability found in Lifelock’s website? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle.