Credit bureau Experian has only just fixed a weakness with a partner site that allowed anyone to search through tens of millions of records with a name and mailing address. Experian says the leak has been plugged, but the researcher who first reported the leak says the flaw could still be present in other websites connected to Experian.
Independent security researcher Bill Demirkapi, a sophomore at the Rochester Institute of Technology, said he found the exposure while searching for a student loan vendor.
Demirkapi found a website offering to check his eligibility if he entered his name, address, and date of birth. After looking at the code, Demirkapi found it used an Experian API (Application Programming Interface) that allowed websites to query the service for FICO credit scores automatically.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi found the API could be accessed without authentication. Filling the “date of birth” field with all zeros allowed him to pull up a credit score. He even created a command-line tool he called “Bill’s Cool Credit Score Lookup Utility” that used the exploit. The Experian API also pulls up risk factors for a consumer, indicators that suggest why a credit score isn’t higher.
Demirkapi didn’t disclose the lender or website that exposed the API. He said he refused because he suspects there are hundreds, if not thousands, of companies using the API. These websites could also be exposing the API and leaking access to Experian’s databases.
“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. For their part, Experian explained how they corrected the issue.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”