Experian API Flaw Raises QuestionsCybersecurity Experts Call for Systemic Improvements
Some security experts are questioning whether Experian is doing enough to ensure security after a researcher discovered that an API the credit reporting firm uses to allow lenders to check the credit score of prospective borrowers could expose customer's scores.
While visiting one lender's website, Bill Demirkapi, a student at the Rochester Institute of Technology who's a threat researcher, discovered the API issue, he told Krebs on Security. The vulnerability on that website, which Experian says it has since fixed, allowed someone to look up another person's credit score and some additional financial history by inputting their name, address and date of birth. But Demirkapi says he had to enter the birthdate as all zeroes to exploit the vulnerability.
When Information Security Media Group asked Experian about how it addressed the API problem, it said in a statement: “We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter."
Experian added: "While this did not compromise any of Experian's systems, we take this matter very seriously. In fact, we continually work with our clients to review their processes and ensure data security best practices."
Demirkapi told Krebs he fears the same API weakness may be present at other lending websites that work with the credit bureau. He did not immediately reply to ISMG's request via Twitter for further comment.
Sandy Carielli, an analyst at the research firm Forrester, notes: "I share Demirkapi's concern about Experian's response. If this is an API that was not meant to be exposed in the first place, and no one has access to it any more, that's good. If that's not the case, and if the API remains available to other partners, then any other partner could make the same API call and send in the same limited data to get information on anyone's credit score."
Tom Garrubba, CISO with the nonprofit third-party risk organization Shared Assessments, notes an attacker could have used the credit score information divulged by the API to create a script to query and extract a huge amount of personal records and store them on the dark web for ransom or sale.
"Demirkapi makes a great point when he noted 'they found one endpoint I was using and sent it into maintenance mode … but this doesn’t address the systemic issue at all.' The systemic issue he's referring to is the way their vendor constructed their APIs and performed (if any) testing for vulnerabilities," Garrubba says.
Discovering the Problem
Because the API vulnerability was discovered accidentally by someone who was curious enough to check the back-end code on a website, a determined cybercriminal could have made the same discovery, says Sean Nikkel, a senior cyberthreat intel analyst at the research firm Digital Shadows.
"Adversaries have plenty of smart and capable people who scan the internet and look for site vulnerabilities, often using a wide variety of homegrown or off-the-shelf tools. If a college student could find it, a veteran red-teamer could likely be looking for the same thing," he says.
The challenge, he says, is determining "how long this API was potentially exposed and how many downstream vendors may still be affected," Nikkel says. "It may have been years, weeks or hours of exposure. And at this point, we have no idea how many instances still have this problem."
The Experian incident illustrates how important it is to test API security, security experts say.
"API security requires a holistic set of controls from the client all the way through to the infrastructure and from development through deployment," Carielli says. "This includes API gateways for authentication and authorization, web application firewalls that can validate data in API calls, and API security-specific tools that are designed to detect and respond to API attacks."
Garrubba adds that companies that outsource software development need to obtain hard evidence of the secure coding practices of their vendor partners. This assessment should include a complete understanding of how these firms are addressing API code vulnerabilities.
Austin Berglas, former assistant special agent in charge of the FBI's New York cyber office, says key API security steps include conducting an "accurate and up-to-date inventory of your publicly available interfaces, ensuring that only the appropriate data is exposed, requiring users to authenticate and employing rate limiting to prevent denial-of-service attacks." Berglas is now global head of professional services at the cybersecurity firm BlueVoyant.
Nikkel also calls for conducting web application penetration testing during application development.
Experian's Earlier Security Issues
In 2015, Experian suffered a breach when one of its servers that stored personal information for some 15 million T-Mobile customers was hacked.
Experian said it discovered that "an unauthorized party" accessed its systems, exposing data collected from September 2013 to September 2015 (see: Experian Hack Slams T-Mobile Customers).
In August 2020, a data breach affecting Experian's South African branch exposed information on an estimated 24 million consumers and almost 800,000 businesses, according to the South African Banking Risk Information Center, a nonprofit financial crime risk information center (see: Experian Breach in South Africa Affects 24 Million Consumers).