Going back a decade, credit reporting giant Experian has been the target of several major leaks and breaches.
There was the online identity theft service that was selling data harvested from Experian in 2013, as well as the 2015 breach of one of its internal databases that affected about 15 million people. Last year, over 25 million South Africans had their personal information freely given away by Experian via a phishing attack.
This year is no different. Experian was implicated in the leaking of over 200 million Brazilians’ personal information earlier this year in what is considered to be the largest personal data leakage in Brazilian history.
Now, Experian has yet another high-profile breach to add to the list.
Krebs on Security in late April reported that security researcher Bill Demirkapi discovered a vulnerability in one of Experian’s APIs that allowed attackers to retrieve sensitive user information without sufficient authorization to do so. Armed with only a first name, last name and a corresponding address, attackers could view the Experian credit scores and associated financial risk factors for virtually any US citizen.
In his interview with Krebs, Demirkapi noted that “no one should be able to perform an Experian credit check with only publicly available information.”
So, how did this happen?
Demirkapi stated that he was looking for student loans on various banking websites, when he stumbled upon a lender whose website had a built-in tool that allowed him to check his eligibility for a loan. The tool only required users to enter their name, address, and date of birth (DOB) to determine their eligibility for a loan.
The student loan lender’s website was using Experian’s “Connect” API, which Demirkapi was able to manipulate using a command-line tool he created as a proof–of–concept (POC). He then discovered that, even though the lender’s tool required a DOB to be entered, the API route accepted a submission of all zeroes (“00–00-000″) for that field instead of a valid, corresponding DOB.
That means, with just a few pieces of readily available public information, Demirkapi was able to view the credit ratings and so-called financial “risk factors” that Experian uses to grade and inform lenders about their loan applicants.
“While API delivery creates efficiency and innovation, APIs inherently lack security, making them prone to application security risk.” – Setu Kulkarni, VP of Corporate Strategy & Business Development at WhiteHat Security
Demirkapi’s research showed that the Experian API was not requiring authentication, nor was it mandating sufficient information as a prerequisite to access the highly sensitive information in their databases. The researcher said that it would only take “a single vulnerability in a vendor” using this API to allow an attacker to “easily abuse Experian’s system.”
Taking this into consideration, Demirkapi suggests the threat landscape for this breach could be significantly larger than just one vulnerable lending website.
Demirkapi has firmly refused to disclose the name of the website to Krebs or to Experian not only due to his suspicion that “there may be hundreds or even thousands of companies using the same API,” but also because he fears Experian would just shut down the vendor’s access to the API and not actually fix the vulnerability in the API itself.
“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem.” – Bill Demirkapi
In a statement to Threatpost, an Experian spokesperson said that they were able to confirm a “single, isolated instance” of the vulnerability, but that their systems and API were not compromised. The spokesperson added that “upon identifying the source of the situation, we shut down access to the client.”
Experian appears to have done exactly what Demirkapi feared.
Identity theft continues to be a massive problem in the internet age, and leaks from vendors who are entrusted with our data need to be held to a higher standard. Once personal information has made its way onto the public internet or dark web, it’s essentially impossible to make it private again.
Like Experian said over three years ago: “you can’t simply reissue Social Security numbers, birth dates, names and addresses.”
The Experian Connect API is only one of 62 APIs that Experian maintains and supports globally.