Yesterday the highly respected security researcher Brian Krebs disclosed a security risk in LifeLock, a Symantec business specialized in identity theft protection.
The vulnerability allows the collection of LifeLock’s users’ emails by modifying a request parameter, simply by probing different numbers sequentially. The parameter, conveniently named “subscriberkey“, is sent in clear text and the server does not authenticate the request. LifeLock is said to have millions of users, and all of them are potentially affected. An attacker can exploit this bug in two different ways; first, the attacker can unsubscribe an arbitrary user, or group of users. And second, the emails collected could be used in subsequent targeted phishing campaigns.
This problematic behavior falls under the 2017 OWASP Top Ten ranking under the A5 risk, Broken Access Control.
The LifeLock bug and, in general, any request tampering vulnerabilities, are great examples of vectors that are not prevented by WAFs. And as always, when security is dependent on human action (manual protection by developers) the chances of leaving open doors increase.
At Hdiv we believe that a significant part of security risks can be prevented automatically. We help developers build secure applications by incorporating runtime protection (RASP) from the beginning of the SDLC. Unlike WAFs, our protection system would automatically block any URL tampering, and prevent the exploitation of the bug. Moreover Hdiv RASP would detect and block request parameter value modifications, the addition and removal of parameters, parameter binding (also known as mass assignment vulnerability,) and other malicious request manipulations. We accomplish this protection without changing the code of the application or any explicit configuration, and with no false positives.