Threats are taking advantage of a website access control flaw to copy personal information held by one of the world’s largest credit rating agencies, according to a news report.
Cybersecurity reporter Brian Krebs says that by knowing how to edit a URL, anyone could view the credit rating information held by Experion.
Individuals typically have to answer a series of questions about their financial history online to prove their identity. However, with a little knowledge about a person to begin with – their name, address, birthday and Social Security number – and knowledge of the weakness of URLs, any credit history was available.
Krebs says he was told about the weakness by a Ukrainian security researcher, who monitored chat channels used by miscreants on the Telegram text messaging service after discovering identity thieves knew how to use URL bypasses. .
The vulnerability was closed in December. It is not known how long the vulnerability was available or how many threat actors took advantage of it.
IT World Canada 7 days before Experian asked for comment. No response has been received.
Adam Greenhill, a security engineer with Healthcare of Ontario Pension Plan and co-head of the Toronto chapter of the Online Web Application Security Project, said OWASP would classify it as a Broken Access Control Problem (A01-2021), It is in the top 10 of OWASP’s list of common web-related vulnerabilities.
“It happens a lot,” he said in an interview. “The underlying root cause authorization is not being invoked in the application.”
To gain access to an individual’s credit rating when the vulnerability was available, an individual began by filling out an online application for identity verification with personal information (name, address, date of birth and social security number). This took them to a page with a number of personal questions that they had to answer, such as ‘which of the following addresses did you live at’. A wrong answer will deny access to the report. However, anyone who knows how to edit the URL of that page can access the credit report.
The trick was to modify the page’s trailing URL from “/acr/oow/” to “/acr/report” to give the site access to the requested report.
This type of vulnerability can be avoided by web developers through proper threat modeling. And by ensuring that certification is implemented everywhere the design specifies, Greenhill said. Before the application goes live, he said, a penetration test should also be done as a second check.
When asked whether many web developers think like hackers, Greenhill replied that they usually have other priorities. “Most developers are paid to implement features. If they don’t have the budget or time to implement security, and it’s not a design requirement, it can be ignored.”
He said that it is common for students to be taught web security in application development courses today. But, he added, “development teams are under extreme pressure to get the job done quickly, so safety can be put on the backburner.”
OWASP states that access control is only effective in trusted server-side code or server-less APIs where an attacker cannot perform access control checks or modify metadata.
