LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts.

The areas we can all learn from

With this as background, we can see several activities occurring here:

1. The unsubscribe web page wasn’t fully or properly secured via TLS. This can be seen in the screenshots with a yellow icon for the certificate. This icon indicates that either there is content on the page that wasn’t secured or obsolete cipher suites were used. Either way, any user submitting personally identifiable information on this page should be wary, as the page can’t be fully trusted to process data securely.
2. The email link used a readily identifiable token named “subscriberKey,” which the researchers were able to forge in such a way as to leak information from other users. This token is effectively a session ID and should be designed to meet the OWASP guidelines, which state, “The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.”
3. A user should only ever be able to access their own individual personally identifiable data, and that of no other users. That access should always be validated through a log on process. Simply clicking an unsubscribe link in an email, which itself is an inherently insecure mode of communication, should never return any personal information.
4. The site didn’t follow the current branding and template format for LifeLock, including identifying it as being part of the Symantec portfolio. We’ve been trained for years that branding mistakes are the hallmark of email fraudsters.
5. Symantec identified that a third party was involved in the processing of personal information. Businesses are increasingly turning to third-party service providers, but any security issues in the provider are also security issues for the organization contracting with the provider.
6. LifeLock implicitly assumed that the email addresses they sent their marketing message to represented U.S.-based individuals with an interest in their services. Unless the email address was explicitly collected and validated by Symantec as part of a users’ engagement with LifeLock, there is no guarantee that email is for a U.S.-based user and the definition of personal data varies by jurisdiction.

Reviewing security best practices

With these observations, made in conjunction with conventional security training intending to identify suspect websites, it’s worth questioning why LifeLock and Symantec didn’t review their opt-out process to ensure it met current security best practices and their branding standards. It’s also worth questioning what data was provided to the third party in addition to the email address. While I doubt this incident rises to the level of a disclosure under GDPR, the security of personally identifiable information (PII) passed to the third party for processing should be reviewed given the issues we’ve observed.

Are you following the top 10 software security best practices?