30 April 21, 09:51
Quote:A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections.
Experian, for its part, refuted concerns from the security community that the issue could be systemic.
The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he found a lender that would check his eligibility with just a name, address and date of birth, according to a published report.
Demirkapi was surprised and decided to take a peek at the code, which showed that an connection to an Experian API was behind the tool, he said.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”
In addition to raw credit scores, Krebs said that he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history. He ran a credit check for his friend “Bill” which returned the explanation for his mid-700s credit score that he had “Too many consumer-finance company accounts.”
Read more: Experian API Leaks Most Americans’ Credit Scores | Threatpost