September 12, 2017 by

Equifax’s Credit-Monitoring Site is also Vulnerable as US Senators Demand Answers

The website set up by Equifax to enable credit account monitoring following last week’s comprehensive security breach is also vulnerable to hackers.

The aftermath of last week’s breach saw millions of users setting up alerts and freezes on one or multiple credit accounts.  As it turns out, a new website used by Equifax to set up alerts on an individual’s credit rating history can be spoofed easily, a security researcher has discovered.

As reported by ZDNet, security researcher Martin Hall revealed that the credit alert website can be ‘easily spoofed. The website allows users to request a 90-day fraud or active duty alert for credit report holders. However, the vulnerabilities in the website enables hackers to steal personal information of those who visit the website.

Specifically, the website is vulnerable to a cross-site scripting (XSS) attack, allowing an attacker to run a malicious code on a website or a web application. With the malicious code included in Equifax’s web URL, the prompt will essentially become a part of the Equifax domain. The browser, however, still assumes the website is secure with a ‘lock’ icon on the browser window.

Essentially, anyone who is made aware of the code can use it in phishing emails to gather personal information from unsuspecting consumers.

“I looked at the code and noticed that I could break out of the developers code into my own, Hall told ZDNet. “This gives me full permission to change the page to say or load any content I want.”

Alarmingly, Hall added that he had reached out to Equifax’s security team about multiple flaws in the company’s website but he did not hear back from the company.

Meanwhile, two key US senators have demanded Equifax answer detailed questions about the breach, which affected some 143 million Americans.

“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter by Senator Orrin Hatch who chairs the Finance Committee and ranking Democrat Ron Wyden.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Equifax Data Breach Exposes 143 Million Users’ Data to Identity Theft

Major credit reporting firm Equifax has confirmed a data breach that affects a staggering 143...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.