A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections.
Experian downplayed concerns from the security community that the issue could be systemic.
The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi is a sophomore at Rochester Institute of Technology and was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
Demirkapi was surprised and decided to take a peek at the code which showed that an connection to an Experian API was behind the tool, he said.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”
Read about the vulnerability I found in @Experian where they sell the private credit information of most Americans, only requiring a name and an address 🙃 https://t.co/rXW1yVh65a
— Bill Demirkapi (@BillDemirkapi) April 28, 2021
In addition to raw credit scores, Krebs said that he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history. He ran a credit check for his friend “Bill” which returned the explanation for his mid-700s credit score that he had “Too many consumer-finance company accounts.”
Experian’s Leaky API Systemic?
Experian said it fixed the unprotected endpoint instance, but some researchers are concerned that other exposed Experian APIs might be out there sitting unprotected, just waiting to be exploited by cybercriminals. There is a huge precedent in the 2017 breach of Equifax, where Chinese hackers stole financial data of 143 million Americans from the Experian rival.
However, an Experian spokesperson pushed back on the notion that there could be other insecure interfaces out there.
“We can confirm a single, isolated instance involving a client website,” she told Threatpost. “This situation did not implicate or compromise any of Experian’s systems, including our API. We were able to alert the client and resolve the matter.”
She added, “To reiterate, while this did not compromise any of Experian’s systems, we take this matter very seriously. In fact, we continually work with our clients to review their processes and ensure data security best practices.”
Threatpost has reached out for additional clarification.
Regardless, Demirkapi said wouldn’t give the name of the lender to protect the thousands of other APIs that are potentially still out there unsecured.
“They found one endpoint I was using and sent it into maintenance mode,” Demirkapi told Krebs. “But this doesn’t address the systemic issue at all.”
It should be noted that colossal security failures aren’t unknown for Experian, which in 2015 exposed 15 million T-Mobile customers’ data, including driver’s license and passport numbers.
Security Community Slams Experian
The security community isn’t holding back on its criticisms of Experian for the leaky API, which they said was concerning even if it was a single instance.
Saryu Nayyar, CEO at Gurucul was downright incredulous about the revelation.
“Shame on you Experian!” Nayyar said. “The credit-score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive — just the sort of data cybercriminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API?”
Tom Garruba, CISO for Shared Assessments, chalked it up to shoddy app development, and he added his own withering assessment of Experian’s software.
“If this isn’t an argument for more and better DevSecOps, then nothing is,” Garruba said. “The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle.”
Garruba added APIs are an obvious attack vector which should have been secured.
“Insecure APIs are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data,” he added. “Such bad coding practices not only hurt everyone financially but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm.”
This should be a big, fat flashing warning to every other company out there to lock down their APIs yesterday, if not sooner, researchers added.
“APIs are the lingua-franca for business integrations and a flaw in APIs is lethal,” Setu Kulkarni, vice president with White Hat Security told Threatpost. “If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner.”
Indeed, Jack Mannino, CEO at nVisium, noted that this kind of issue isn’t unique to Experian.
“Many websites being launched for vaccine management and other public health services seem to struggle with the same issues,” he said. “Making systems accessible to the broader public using private data often has security tradeoffs and consequences. Stronger authentication and verification processes are required along with access controls and sane anti-automation defenses, in order to prevent these attacks.”
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.