close search bar

Sorry, not available in this language yet

close language selection

LifeLock lesson—Third party security is your security

Lifelock lesson - third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts.

The areas we can all learn from

With this as background, we can see several activities occurring here:

  1. The unsubscribe web page wasn’t fully or properly secured via TLS. This can be seen in the screenshots with a yellow icon for the certificate. This icon indicates that either there is content on the page that wasn’t secured or obsolete cipher suites were used. Either way, any user submitting personally identifiable information on this page should be wary, as the page can’t be fully trusted to process data securely.
  2. The email link used a readily identifiable token named “subscriberKey,” which the researchers were able to forge in such a way as to leak information from other users. This token is effectively a session ID and should be designed to meet the OWASP guidelines, which state, “The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.”
  3. A user should only ever be able to access their own individual personally identifiable data, and that of no other users. That access should always be validated through a log on process. Simply clicking an unsubscribe link in an email, which itself is an inherently insecure mode of communication, should never return any personal information.
  4. The site didn’t follow the current branding and template format for LifeLock, including identifying it as being part of the Symantec portfolio. We’ve been trained for years that branding mistakes are the hallmark of email fraudsters.
  5. Symantec identified that a third party was involved in the processing of personal information. Businesses are increasingly turning to third-party service providers, but any security issues in the provider are also security issues for the organization contracting with the provider.
  6. LifeLock implicitly assumed that the email addresses they sent their marketing message to represented U.S.-based individuals with an interest in their services. Unless the email address was explicitly collected and validated by Symantec as part of a users’ engagement with LifeLock, there is no guarantee that email is for a U.S.-based user and the definition of personal data varies by jurisdiction.

Reviewing security best practices

With these observations, made in conjunction with conventional security training intending to identify suspect websites, it’s worth questioning why LifeLock and Symantec didn’t review their opt-out process to ensure it met current security best practices and their branding standards. It’s also worth questioning what data was provided to the third party in addition to the email address. While I doubt this incident rises to the level of a disclosure under GDPR, the security of personally identifiable information (PII) passed to the third party for processing should be reviewed given the issues we’ve observed.

Are you following the top 10 software security best practices?

Tim Mackey

Posted by

Tim Mackey

Tim Mackey

Tim Mackey is the Head of Software Supply Chain Risk Strategy within the Synopsys Software Integrity Group. He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. In this role, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.

More from Security news and research