A security researcher who is also a student uncovered a technical flaw that allowed him — and anyone else who realized it — to look up the credit scores of any individual by using just that person’s name and address using an interface called an API from Experian, according to a published report. While the specific vulnerability has been plugged, the researcher said he fears that similar vulnerabilities may exist on “countless” other websites that work with the credit reporting agency.
The researcher uncovered the issue while shopping around for student loans online. One of the sites used an API — Application Programming Interface — that allowed it to check an individual’s credit score using only the individual’s name, address, and date of birth. The researcher was able to access the API without any authentication and found that it could pull a credit score even when zeros were entered into the date of birth field.
Along with returning a credit score from Experian, the API also provided up to four “risk factors” that detailed why the individual’s credit score was not higher.
The researcher did not share the identity of the website with Experian, hoping it would instead seek to fix the API itself, which may be in use on websites of hundreds or thousands of websites. But Experian said it was able to determine the site in question and disabled its access to the API.
This news should serve as a reminder to everyone in the accounts receivable management industry about the importance of information security. More collection agencies are deploying technology from third parties and those connection points need to be airtight. Lest anyone be reminded of what can happen when a breach occurs.