We can only presume this birthdate validation was disabled as a result of debugging or testing functionality that made its way to production. The API was already relying on weak authentication, and this lack of validation for the most private authentication material weakened things even further. It should never be possible to supply an invalid value such as 00/00/00 as a birthdate. The Experian API was not properly validating the birthdate value provided in the API request. If KBA isn’t paired with other strong authentication factors, such controls can be brute forced by an attacker given enough time. It’s also common to find these types of KBA mechanisms within forgotten password flows. It is not an issue specific to just Experian. Knowledge-based authentication (KBA) mechanisms often rely on information that’s essentially “public” as a result of prior data breaches, which weakens authentication for any API that is designed to use KBA. The issue maps to OWASP API2:2019 Broken User Authentication, though in this case the situation is more about choosing a weak authentication factor rather than the authentication mechanism being broken. Attackers can find PII such as what was used here readily with Internet searches and by scouring social media services. Birthdate was also not being properly enforced, but it’s likely someone could guess this info anyway. The API used PII that is largely public information as authentication material. Lack of resources and rate limiting (potential).The leaky API from Experian exhibited the following weaknesses: Much of the authentication material for a given person can be gathered through Internet searches of public repositories or by harvesting data from prior breaches at other organizations. The API was designed to use authentication material that is largely public or semi-public. The credit information returned by the Experian API included FICO scores and risk factors that impact the given individual’s credit history, such as proportion of balances to credit, number of accounts, and length of time accounts have been open. This API was found to be leaky based on the information it used to identify the API caller and the personal data it served back in the response. The lender site called an Experian API to validate the user provided PII including first name, last name, address, zip code and birthdate. While using an unnamed lender site, an independent security researcher by the name of Bill Demirkapi discovered a flaw in an API that was designed to assess an individual’s credit worthiness as part of promotional inquiries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |