Anyone was able to look up the credit score of tens of millions of Americans just by providing their name and mailing address.
The issue was reported to KrebsOnSecurity by the independent security researcher Bill Demirkapi, who discovered the data exposure while shopping around for student loan vendors online.
“Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.” reported KrebsOnSecurity.
The researchers discovered that the Experian API could be used without authentication, he also noticed that by providing a “date of birth” composed of all zeros it is possible to access a person’s credit score. He also developed a command-line tool to automate the lookups, which he named “Bill’s Cool Credit Score Lookup Utility.”
KrebsOnSecurity successfully tested Demirkapi’s tool.
The APT also returns for each consumer up to four “risk factors,” which are sensitive information about his habits.
Demirkapi did not share with Experian the name of the service that was exposing the API because he suspects there may be thousands of companies using the same API, and that many of those services could be similarly leaking access to Experian’s consumer data.
“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” Demirkapi told to KrebOnSecurity.
Nevertheless, after being contacted by this reporter Experian figured out on its own which lender was exposing their API; Demirkapi said that vendor’s site now indicates the API access has been disabled.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”
Demirkapi said he’s disappointed that Experian did exactly what he feared they would do.
“They found one endpoint I was using and sent it into maintenance mode,” he said. “But this doesn’t address the systemic issue at all.”
Leaky and poorly-secured APIs like the one Demirkapi found are the source of much mischief in the hands of identity thieves. Earlier this month, auto insurance giant Geico disclosed that fraudsters abused a bug in its site to steal drivers license numbers from Americans.
Geico said the data was used by thieves involved in fraudulently applying for unemployment insurance benefits. Many states now require drivers license numbers as a way of verifying an applicant’s identity.
In 2013, KrebsOnSecurity broke the news about an identity theft service in the underground that programmatically pulled sensitive consumer credit data directly from a subsidiary of Experian. That service was run by a Vietnamese hacker who’d told the Experian subsidiary he was a private investigator. The U.S. Secret Service later said the ID theft service “caused more material financial harm to more Americans than any other.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Experian API)