Threat actors have been exploiting a website access control mistake to copy personal information held by one of the world’s biggest credit rating agencies, according to a news report.
Cybersecurity reporter Brian Krebs says that by knowing how to edit a URL, anyone could have seen the credit rating information held by Experian.
Normally individuals would have to answer several questions online about their financial history to prove their identity. However, with a little knowledge of any individual to start with — their name, address, birthday and Social Security number — and knowledge of the URL weakness, any credit history was available.
Krebs says he was tipped off about the weakness by a Ukrainian security researcher, who learned identity thieves knew how to use the URL bypass after monitoring chat channels used by crooks on the Telegram text messaging service.
The vulnerability was closed in December. It isn’t known how long the vulnerability was available or how many threat actors took advantage of it.
IT World Canada asked Experian for comment seven days ago. No response has been received.
Adam Greenhill, a security engineer at Healthcare of Ontario Pension Plan and a co-lead of the Toronto chapter of the Online Web Application Security Project, said OWASP would categorize this as a broken access control issue (A01-2021). It ranks in the top 10 in OWASP’s list of common web-related vulnerabilities.
“It happens a lot,” he said in an interview. “The underlying root cause is authorization is not being enforced in the application.”
To get access to an individual’s credit rating when the vulnerability was available, a person started by filling in an online application with personal information (name, address, birthdate and Social Security number) for identity verification. That took them to a page with several personal questions that had to be answered, such as ‘which of the following addresses did you used to live at’. A wrong answer would deny access to the report. However, anyone who knew how to edit the URL of that page could get the credit report.
The trick was to modify the page’s trailing URL from “/acr/oow/” to “/acr/report,” to have the site give access to a requested report.
This type of vulnerability can be avoided by web developers through proper threat modeling. Greenhill said, and by making sure authentication is enforced everywhere the design has specified. Before the application goes live, he added, a penetration test should also be done as a second check.
Asked if many web developers think like a hacker, Greenhill replied that they usually have other priorities. “Most developers are paid to implement features. If they don’t have the budget or time to implement security, and it isn’t a design requirement, then it may be overlooked.”
It’s more common today for students to be taught web security in application development courses, he said. But, he added, “development teams are under extreme pressure to get things done quickly, so security can be put on the back burner.”
OWASP says access control is only effective in trusted server-side code or a server-less API where the attacker cannot modify the access control check or metadata.
