How editing a URL allowed crooks to access Experian credit reports

Share post:

Threat actors have been exploiting a website access control mistake to copy personal information held by one of the world’s biggest credit rating agencies, according to a news report.

Cybersecurity reporter Brian Krebs says that by knowing how to edit a URL, anyone could have seen the credit rating information held by Experian.

Normally individuals would have to answer several questions online about their financial history to prove their identity. However, with a little knowledge of any individual to start with — their name, address, birthday and Social Security number — and knowledge of the URL weakness, any credit history was available.

Krebs says he was tipped off about the weakness by a Ukrainian security researcher, who learned identity thieves knew how to use the URL bypass after monitoring chat channels used by crooks on the Telegram text messaging service.

The vulnerability was closed in December. It isn’t known how long the vulnerability was available or how many threat actors took advantage of it.

IT World Canada asked Experian for comment seven days ago. No response has been received.

Adam Greenhill, a security engineer at Healthcare of Ontario Pension Plan and a co-lead of the Toronto chapter of the Online Web Application Security Project, said OWASP would categorize this as a broken access control issue (A01-2021). It ranks in the top 10 in OWASP’s list of common web-related vulnerabilities.

“It happens a lot,” he said in an interview. “The underlying root cause is authorization is not being enforced in the application.”

To get access to an individual’s credit rating when the vulnerability was available, a person started by filling in an online application with personal information (name, address, birthdate and Social Security number) for identity verification. That took them to a page with several personal questions that had to be answered, such as ‘which of the following addresses did you used to live at’. A wrong answer would deny access to the report. However, anyone who knew how to edit the URL of that page could get the credit report.

The trick was to modify the page’s trailing URL from “/acr/oow/” to “/acr/report,” to have the site give access to a requested report.

This type of vulnerability can be avoided by web developers through proper threat modeling. Greenhill said, and by making sure authentication is enforced everywhere the design has specified. Before the application goes live, he added, a penetration test should also be done as a second check.

Asked if many web developers think like a hacker, Greenhill replied that they usually have other priorities. “Most developers are paid to implement features. If they don’t have the budget or time to implement security, and it isn’t a design requirement, then it may be overlooked.”

It’s more common today for students to be taught web security in application development courses, he said. But, he added, “development teams are under extreme pressure to get things done quickly, so security can be put on the back burner.”

OWASP says access control is only effective in trusted server-side code or a server-less API where the attacker cannot modify the access control check or metadata.

The post How editing a URL allowed crooks to access Experian credit reports first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways