A vulnerability discovered by security researchers Eric Taylor and Blake Welsh could turn an innocuous “refer-a-friend” page into a official-looking phishing page. By adding encoded HTML to the end of a basic URL, Taylor and his partner were able to simulate a Lifelock login page that could potentially grab usernames and passwords from unsuspecting users.
Lifelock closed the vulnerability, called a cross-site scripting attack, after Taylor notified the company. Lifelock has over 3 million customers with revenue of $369.65 million. As of 2010 Lifelock’s CEO Todd Davis has been targeted for identity theft over a dozen times.
As shown in the screenshot above, Taylor was able to simulate a very simple login page by appending a long string of characters to the refer-a-friend URL on Lifelock. The “name” field could in fact contain any data including joke names – or more complex HTML.
“I found it while simply browsing LifeLock’s…
Ver la entrada original 151 palabras más