Identity protection outfit LifeLock picked, popped
Refer-a-friend page gets new 'feature'
Security researchers Eric Taylor and Blake Welsh have disclosed a cross-site scripting vulnerability in US identity protection company LifeLock.
The duo from US outfit Cinder say the vulnerability allows attackers to target the company's three million users with malware and phishing attacks, session jacking, among other acts.
The holes target the refer-a-friend portal of the site.
"All of LifeLock’s 3,000,000-plus customers, including potential customers from the referral system, were left vulnerable to a slew of attacks, including phishing campaigns, session hijacking, and malware and spam campaigns, and many other forms of cross-site scripting based attacks," Welsh told EL Reg.
LifeLock issued a patch for the flaw soon after disclosure hours ago. It is unknown if it has been exploited by malicious actors,
Cross-site scripting vulnerabilities are some of the most common yet still dangerous net scourges around allowing attackers to take advantage of lax validation to inject malicious scripts into input fields. Those scripts can target users stealing cookies, tokens, and a host of other sensitive data sets.
The Open Web Application Security Project has a cheat sheet containing pointers for identifying and closing XSS flaws.