After Experian fixed a weakness at a partner website that let anyone view credit scores for nearly every American by just inputting a name and address, questions remain about whether the same problem exists with other partners, and how widespread the problem might be.
A security researcher and college student, Bill Demirkapi, stumbled across the weakness while he was looking for a student loan – he discovered he could get credit scores on anyone by putting all zeros in the date-of-birth field – and reported it to the consumer credit bureau. But he told Krebs on Security that he was concerned that other lending sites might have the vulnerability, as well.
Experian patched the problem, but Demirkapi said the company didn’t go far enough with its fix. In response to Krebs, Experian said it had “been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter.” It noted that “while the situation did not implicate or compromise any of Experian’s systems,” it had taken the matter seriously.
But Demirkapi said his discovery is a systemic threat, not just a single instance. “The basis for the systemic threat is that Experian does not require their vendors to provide anything more than a name and address to look up confidential information,” he tweeted.
“It’s not clear if this weakness was exploited by other attackers beyond the security researcher’s probing and disclosure,” said Michael Isbitski, technical evangelist at Salt Security. “Experian confirmed only that they were able to uncover the security researcher’s activity in their backend logs after the problem was disclosed to them.”
Isbitski said that any API that uses weak authentication, like this one did, “could potentially be enumerated and scraped to obtain large amounts of the private, credit-related data.”
Using a tool that Demirkapi created, “Bill’s Cool Credit Score Lookup Utility,” Krebs found that not only did the weakness in Experian’s API reveal credit scores, it also offered four risk factors that explain why a score could be lower.
The issue isn’t unique to Experian. “Many websites being launched for vaccine management and other public health services seem to struggle with the same issues,” said Jack Mannino, CEO at nVisium. “Making systems accessible to the broader public using private data often has security tradeoffs and consequences.”
However, “allowing API access to personal data by requiring only publicly available information is clearly poor security practice, but this kind of situation points to an endemic issue,” said David Stewart, CEO at Approov. “Since the evolution to an API-first internet, poor security practices and API vulnerabilities have been a source of joy to bad actors who have been exploiting both, at scale, through scripting on an industrial scale.”
Experian fell short when it came to security practices, and its shortcomings should serve as a lesson to others.
“If this isn’t an argument for more and better DevSecOps, then nothing is,” said Tom Garrubb, CISO at Shared Assessments. “The root cause of this issue is poor testing of the application’s overall security controls.”
The situation could have been prevented if only “the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle,” he said.
That’s particularly important since “unsecure APIs are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data,” Garraba said, with the potential for far-reaching consequences.
“Bad coding practices not only hurt everyone financially, but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm,” he said.