Identity protection outfit LifeLock picked, popped
Refer-a-friend page gets new 'feature'
Security researchers Eric Taylor and Blake Welsh have disclosed a cross-site scripting vulnerability in US identity protection company LifeLock.
The duo from US outfit Cinder say the vulnerability allows attackers to target the company's three million users with malware and phishing attacks, session jacking, among other acts.
The holes target the refer-a-friend portal of the site.
"All of LifeLock’s 3,000,000-plus customers, including potential customers from the referral system, were left vulnerable to a slew of attacks, including phishing campaigns, session hijacking, and malware and spam campaigns, and many other forms of cross-site scripting based attacks," Welsh told EL Reg.
LifeLock issued a patch for the flaw soon after disclosure hours ago. It is unknown if it has been exploited by malicious actors,
Cross-site scripting vulnerabilities are some of the most common yet still dangerous net scourges around allowing attackers to take advantage of lax validation to inject malicious scripts into input fields. Those scripts can target users stealing cookies, tokens, and a host of other sensitive data sets.
The Open Web Application Security Project has a cheat sheet containing pointers for identifying and closing XSS flaws.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust