Vulnerability In Security Service Lifelock Could Have Exposed Logins And Passwords

TechCrunch

A vulnerability discovered by security researchers Eric Taylor and Blake Welsh could turn an innocuous “refer-a-friend” page into a official-looking phishing page. By adding encoded HTML to the end of a basic URL, Taylor and his partner were able to simulate a Lifelock login page that could potentially grab usernames and passwords from unsuspecting users.

Lifelock closed the vulnerability, called a cross-site scripting attack, after Taylor notified the company. Lifelock has over 3 million customers with revenue of $369.65 million. As of 2010 Lifelock’s CEO Todd Davis has been targeted for identity theft over a dozen times.

As shown in the screenshot above, Taylor was able to simulate a very simple login page by appending a long string of characters to the refer-a-friend URL on Lifelock. The “name” field could in fact contain any data including joke names – or more complex HTML.

“I found it while simply browsing LifeLock’s…

Ver la entrada original 151 palabras más

BIENVENIDOS AL DESPERTAR EN CONCIENCIA

Por favor, inicia sesión con uno de estos métodos para publicar tu comentario:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s