Data leak at online credit agency: Hacker can view any credit rating data

Once again, a provider of credit information is involuntarily disclosing highly sensitive data. As the hacker Lilith Wittmann showed using a prominent victim, "it's my data" can be used to elicit information about the payment behavior of prominent politicians, as well as any other person. Cause: an inadequately secured API call.

Credit agencies such as Schufa or Infoscore provide assessments of the creditworthiness of potential contractual partners – not only banks and companies, but also landlords routinely request this information. The start-up "it's my data" is turning this into several products such as a "creditworthiness passport" and a "tenant folder" to present to the landlord.

A little too much digital transparency

The itsmydata products are recommended by estate agents, 100% GDPR-compliant and certified for digital transparency, according to the company's own advertising. However, hacker Wittmann created more transparency than the provider intended. After creating an account with itsmydata, she was able to use an unprotected API call to change her own data, such as her name and registration address, and replace it with that of a third party. She then received their credit report in a practical PDF format. According to Wittmann, this procedure can be repeated several times.

Gaps like this are nothing new for the Berliner: a good year ago, Wittmann had already used the"Bonify" app, a Schufa subsidiary, and also accessed the creditworthiness data of a celebrity. The ex-CDU health minister's credit rating had at least improved a little, Wittmann noted with amusement on social networks.

it's my data replies: "I am a teapot"

A request for comment from the heise editorial team remained unanswered until the morning of November 14, and the operator had not commented to other media either. It is also unclear how much personal data was leaked, as the security gap can be exploited by anyone with an "it's my data" account without any technical effort.

In the meantime, the operator has at least closed the login to its service or it is overloaded: The service's API responds to login attempts with the HTTP status code 418:"I'm a teapot".

(cku)