The website of consumer credit reporting giant Experian carried a major privacy vulnerability that allowed hackers to obtain customer credit reports, and all it took was a little identity data (opens in new tab), and a little tweak to the address displayed in the URL bar, experts have revealed.
Cybersecurity researcher Jenya Kushnir discovered the flaw on Telegram, after observing hackers selling stolen reports, and worked with KrebsOnSecurity (opens in new tab) to investigate it further.
The idea was simple – if you had the victim’s name, address, birthday and Social Security number (all of which might be obtained from a previous incident), you could go to one of the websites offering free credit reports, and submit the data to request one. At that point, the website would redirect you to the Experian website where you’d be required to submit more personally identifiable information, such as questions about previous addresses of living and such.
And here is where the flaw is exploitable. There is no need to answer any of those questions – all you’d need to do at this point is simply change the address displayed in the URL bar, from “/acr/oow/” to “/acr/report,” and you’d be presented with the report.
While testing the concept, Krebs found that tweaking the address first redirects to “/acr/OcwError”, but trying the tweak again worked: “Experian’s website then immediately displayed my entire credit file,” the report states.
The good news (if it can be seen as such) is that Experian’s reports are filled with inaccuracies. In the case of Krebs, it held numerous phone numbers, only one of which was owned by the author, some time in the past.
Experian remains quiet about the matter, but the problem seems to have been fixed in the meantime. We don’t know for how long the flaw was active on the site, or how many reports were fraudulently generated during that time.