>
The consumer credit reporting giant Experian’s website contained a major security flaw that allowed hackers to obtain credit reports from customers, and all it took was some identity information (opens in new tab)and a minor adjustment to the address displayed in the URL bar, experts have revealed.
Cybersecurity researcher Jenya Kushnir discovered the flaw on Telegram after seeing hackers selling stolen reports, and teamed up with KrebsOnSecurity (opens in new tab) to investigate it further.
The idea was simple: If you had the victim’s name, address, date of birth, and social security number (all of which can be obtained from a previous incident), you can go to one of the websites that offer free credit reports and submit the data request one. At that point, the website would redirect you to the Experian website where you would need to provide more personally identifiable information, such as questions about previous residential addresses and the like.
Experian hack
And here is where the flaw can be exploited. There’s no need to answer all of these questions – all you need to do at this point is simply change the address shown in the URL bar from “/acr/oow/” to “/acr/report” , and you would be presented with the report.
While testing the concept, Krebs found that modifying the address first redirects to “/acr/OcwError,” but trying again worked: “The Experian website then immediately showed my full credit file,” the report said.
The good news (if it can be seen as such) is that Experian’s reports are full of inaccuracies. In Krebs’ case, it contained numerous phone numbers, only one of which belonged to the author at some time in the past.
Experian is silent on the matter, but the problem seems to have been resolved in the meantime. We don’t know how long the bug was active on the site, or how many alerts were generated fraudulently during that time.