Experian API Leaked Credit Scores - Security Boulevard

Experian API Leaked Credit Scores

After Experian fixed a weakness at a partner website that let anyone view credit scores for nearly every American by just inputting a name and address, questions remain about whether the same problem exists with other partners, and how widespread the problem might be.

A security researcher and college student, Bill Demirkapi, stumbled across the weakness while he was looking for a student loan – he discovered he could get credit scores on anyone by putting all zeros in the date-of-birth field – and reported it to the consumer credit bureau. But he told Krebs on Security that he was concerned that other lending sites might have the vulnerability, as well.

Experian patched the problem, but Demirkapi said the company didn’t go far enough with its fix. In response to Krebs, Experian said it had “been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter.” It noted that “while the situation did not implicate or compromise any of Experian’s systems,” it had taken the matter seriously.

But Demirkapi said his discovery is a systemic threat, not just a single instance. “The basis for the systemic threat is that Experian does not require their vendors to provide anything more than a name and address to look up confidential information,” he tweeted.

“It’s not clear if this weakness was exploited by other attackers beyond the security researcher’s probing and disclosure,” said Michael Isbitski, technical evangelist at Salt Security. “Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them.”

Isbitski said that any API that uses weak authentication, like this one did, “could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.”

Using a tool that Demirkapi created, “Bill’s Cool Credit Score Lookup Utility,” Krebs found that not only did the weakness in Experian’s API reveal credit scores, it also offered four risk factors that explain why a score could be lower.

The issue isn’t unique to Experian. “Many websites being launched for vaccine management and other public health services seem to struggle with the same issues,” said Jack Mannino, CEO at nVisium. “Making systems accessible to the broader public using private data often has security tradeoffs and consequences.”

However, “allowing API access to personal data by requiring only publicly available information is clearly poor security practice, but this kind of situation points to an endemic issue,” said David Stewart, CEO at Approov. “Since the evolution to an API-first internet, poor security practices and API vulnerabilities have been a source of joy to bad actors who have been exploiting both, at scale, through scripting on an industrial scale.”

Experian fell short when it came to security practices, and its shortcomings should serve as a lesson to others.

“If this isn’t an argument for more and better DevSecOps, then nothing is,” said Tom Garrubb, CISO at Shared Assessments. “The root cause of this issue is poor testing of the application’s overall security controls.”

The situation could have been prevented if only “the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle,” he said.

That’s particularly important since “unsecure APIs are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data,” Garraba said, with the potential for far-reaching consequences.

“Bad coding practices not only hurt everyone financially, but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm,” he said.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 16 posts and counting.See all posts by teri-robinson