Krebs on security reported on April 28 that Experian quietly fixed a bug in its API that exposed tens of millions of Americans' credit score to anyone who looked them up.
An independent security researcher attending the Rochester Institute of Technology, Bill Demirkapi was shopping for student loan vendors when he discovered a data leak regarding credit scores with Experian.
With one of the vendors he tested, he had only to enter his name, date of birth, and address, and using the Experian API, it instantly looked up his FICO credit score and displayed it on the page. The exposure led him to report the data leak explaining that "No one should be able to perform an Experian credit check with only publicly available information. "Experian should mandate non-public information for promotional inquiries. Otherwise, an attacker who found a single vulnerability in a vendor could easily abuse Experian's system."
Demirkapi was easily able to expose the API coding and could access it without providing any authentication. He even created a command-line tool to see if it worked looking up credit scores. He dubbed his handiwork "Bill's Cool Credit Score Lookup Utility."
Krebs on Security performed a blind test using Demirkapi's tool and had a friend check their credit score with Experian, and their score matched precisely what the tool served up.
Even more alarmingly, Krebs on Security reports that "In addition to credit scores, the Experian API returns for each consumer up to four "risk factors," indicators that might help explain why a person's score is not higher."
“For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.”
Someone with a credit freeze on their account would be protected against this tool working or any other buggy API that accesses credit scores directly.
How is Experian Handling the Breach?
Experian quickly patched the leak in its API. However, Demirkapi refused to inform Experian which student loan vendor he found that was exposing this data. The reason is that he suspects hundreds of financial clients could be using the same buggy API. His reasoning, as stated, is, "If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn't fix the systemic problem."
Experian performed their own investigation and identified which vendor was exposing credit scores through the API anyway. Experian issued a statement about the matter "We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the issue.
"While the situation did not implicate or compromise any of Experian's systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority."
Unfortunately, Experian responded in exactly the way Demirkapi feared they would. With disappointment, he commented that "They found one endpoint I was using and sent it into maintenance mode. But this doesn't address the systemic issue at all."
Buggy APIs are dangerous. Recently Geico reported a flaw in their own API which led to hackers using the bug to exfiltrated U.S. driver's license numbers for Geico customers. The thieves used this data to apply for unemployment insurance benefits.
The more significant issue is not the hackers and thieves themselves but the companies and their lackadaisical attitude towards security and privacy. The end result is harm to the American public.