As per experts, the website of consumer credit reporting giant Experian comprised a major privacy vulnerability that allowed hackers to obtain customer credit reports with just a little identity data and a small change to the address displayed in the URL bar.
Jenya Kushnir, a cybersecurity researcher, discovered the vulnerability on Telegram after monitoring hackers selling stolen reports and collaborated with KrebsOnSecurity to investigate it further.
The concept was straightforward: if you had the victim's name, address, birthday, and Social Security number (all of which could be obtained from a previous incident), you could go to one of the websites offering free credit reports and submit the information to request one.
The website would then redirect you to the Experian website, where you would be asked to provide more personally identifiable information, such as questions about previous addresses of living and such.
And this is where the flaw can be exploited.
There is no need to answer any of those questions; simply change the address displayed in the URL bar from "/acr/oow/" to "/acr/report," and you will be presented with the report. While testing the concept, Krebs discovered that changing the address first redirects to "/acr/OcwError," but changing it again worked: "Experian's website then displayed my entire credit file," according to the report.
The good news (if it can be called that) is that Experian's reports are riddled with errors. In the case of Krebs, it contained a number of phone numbers, only one of which was previously owned by the author.
Experian has remained silent on the matter, but the issue appears to have been resolved in the meantime. It's unknownfor how long the flaw was active on the site or how many fraudulent reports were generated during that time.