In this week’s Cyber Blurbs Roundup, we take a look at Experian’s big problem, the issues facing a massively popular kids game, and the unfortunately predictable headaches with contact tracing apps.
Experian Exposed Millions of Credit Scores Online
We’ll lead off with a story originally published over at KrebsOnSecurity: Experian, up until recently, was dealing with a significant flaw in its system that allowed just about anybody to look up the credit score of tens of millions of Americans with only a name and mailing address.
Experian has since fixed the issue, but security researchers worry that identical issues may be found in other lending websites that operate with the credit bureau. Bill Demirkapi, a security researcher currently in his undergrad at the Rochester Institute of Technology, told Krebs he discovered the weakness while searching for student loan lenders online. After taking a look at the code behind one of the pages he landed on, he noticed something peculiar.
While the website required a full name, mailing address, and date of birth in order to access a credit score, Demirkapi says entering all zeros as a date of birth allowed him to access the credit score anyway.
“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”
The leak was also capable of providing as many as four risk factors that would help the user understand why the subject’s credit score was not higher.
Experian was made aware of the issue and resolved it, although Demirkapi worries that any website using Experian’s API will run into the same issues.
Popular Mobile Game Offers Subpar Security Measures
Roblox is one of the most popular mobile games on the planet, responsible for more than 100 million installs on Android devices and more than 199 million monthly active players overall. The online game gives users the ability to design and play their own… games. Candidly, I don’t fully understand it, but that doesn’t a) take away from the premise of this story, or b) make it any less of a massive platform for online gaming. Roblox is, apparently, particularly popular with the younger crowds.
That prompted the folks over at CyberNews to conduct an investigation into the security features offered by the Roblox app on Android, and the results are less than ideal. Far less, actually. You can read the full CyberNews article here, but in short, Roblox’s Android platform is not sufficiently secure, and runs the risk of exposing user data (again, underage user data) to bad actors who suddenly have reason to seek it.
Concerns are apparently higher for older Android devices (i.e., the old tablet or phone you loaned out to your little one(s) after you upgraded to the latest and greatest model). Those devices aren’t capable of running the most up-to-date security signatures, which amounts to about 7.5% of all Android devices, according to CyberNews.
“Our analysis of the Roblox app on Android has shown that even a publicly traded organization with decades of development experience, hundreds of millions of customers, and a budget to match can be potentially vulnerable to security lapses,” CyberNews wrote in its story.
“To be clear, our findings do not mean that Roblox is a disaster security-wise, but there could be multiple security risks under the hood. Hopefully, Roblox will address them in the near future, before these risks turn into actual vulnerabilities.”
CyberNews has reached out to Roblox, but says it has yet to hear back.
Contact Tracing App Leaking Data on Android Devices
Roughly 12 months ago, the world was introduced to the concept of mobile contact tracing. That is, opt-in software baked into Android and Apple devices — courtesy of a rare partnership between Google and Apple — that would allow users to receive a notification if they had come in contact with another user who tested positive for COVID-19. Both companies promised that securing user data was a top priority.
That promise didn’t stop the Department of Homeland Security from investing $200,000 into an investigation to determine just how secure the software was. AppCensus, awarded the funding to conduct the research, recently determined that the Android version of the Google-Apple software was capable of leaking data to other apps found on the device.
In short, the Android version of the contact tracing API is designed to collect data and log it into a secure space on the phone that is typically off-limits for most apps on the device. But devices come with a set of preinstalled apps which often have special privileges (like accessing that off-limits space). There is no evidence to suggest that any pre-installed apps have actually taken advantage of the loophole, according to Joel Reardon, co-founder and forensics lead of AppCensus (via The Markdown).
Reardon says he first contacted Google about the vulnerability in February as part of the company’s bug bounty program, a request that the company denied after deciding it wasn’t a big enough issue to warrant a payout. Google has since stated it is working on a fix.
You can read the full report from AppCensus here.