"Experian API Leaks Most Americans’ Credit Scores"
A security researcher claims that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections. Experian, for its part, refuted concerns from the security community that the issue could be systemic. The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address, and date of birth. Demirkapi was surprised and decided to take a peek at the code, which showed that a connection to an Experian API was behind the tool. Demirkapi stated that no one should be able to perform an Experian credit check with only publicly available information. Demirkapi also said that Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system. Demirkapi was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named “Bill’s Cool Credit Score Lookup Utility.” In addition to raw credit scores, he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history. He ran a credit check for his friend “Bill,” which returned the explanation for his mid-700s credit score that he had too many consumer-finance company accounts. Experian said it fixed the unprotected endpoint instance. However, some researchers are concerned that other exposed Experian APIs might be out there, sitting unprotected, just waiting to be exploited by cybercriminals.
Threatpost reports: "Experian API Leaks Most Americans’ Credit Scores"