Credit scores of millions of Americans were exposed online after a third-party vendor misconfigured the Application Programming Interface (API) keys belonging to the credit reporting agency, Experian. As reported by Krebs on Security, independent security researcher Bill Demirkapi discovered a vulnerability in Experian’s vendor site that allowed anyone to find out credit scores of anyone just by entering their name and mailing address.
Demirkapi stated that the Experian API could be accessed by anyone without any sort of authentication to pull a person’s credit score.
“No one should be able to perform an Experian credit check with only publicly available information. Experian should mandate non-public information for promotional inquiries, otherwise, an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system,” said Demirkapi.
— Bill Demirkapi (@BillDemirkapi) April 28, 2021
While Experian addressed the vulnerability, Demirkapi stated that it might exist in various other third-party vendor sites that are associated with Experian.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter. While this did not compromise any of Experian’s systems, we take this matter very seriously. In fact, we continually work with our clients to review their processes and ensure data security best practices,” Experian said.
Security Experts Say…
The Experian data leak incident reminds us of the importance of API security. Talking to CISO MAG, Inon Shkedy, a security researcher at security firm Traceable, said, “In the era of cloud transformation, we are finding more and more companies that unfortunately prioritize fast delivery over security. Developers are under pressure to create features and improve user experience as quickly as possible, and security is often an afterthought. APIs that expose sensitive information, such as credit score and financial insights, should be always tested for access control issues before deployment – not after it’s already being used by customers.”
“Making authorization tests as part of the CI/CD pipeline is becoming more important than ever, especially with APIs that are exposed to everyday consumers or partners, because even one breach can damage trust, have a massive financial impact and legal repercussions,” Shkedy added.