Security blogger Brian Krebs revealed Friday that First American Financial, a financial services company website, of late leaked a whopping 885 million documents containing sensitive information.
First American Financial, as per its Wikipedia page, is “a leading provider of title insurance and settlement services to the real estate and mortgage industries.”
Krebs learned from a real estate developer, Ben Shoval, in Washington state that a segment of First American’s website, firstam.com, had been stashing hundreds of millions of title insurance records without appropriate safety.
The leaked documents contained social security numbers, bank account numbers and statements, driver’s licenses, tax and mortgage records, and wire transaction receipts.
This was the result of an insecure direct object reference (IDOR) flaw that enabled anyone to access all the documents stored by First American on this section of its site by adjusting the value of a constraint in a link directing to a legal document. For example, if a document is stored at example.com/file001.pdf, changing the URL to example.com/file002.pdf fetches a different document.
When he reached out to Krebs, Shoval had been having problem contacting First American. Their inquiry discovered that the company had been exposing approximately 885 million files. The files — the earliest dated 2003 — were seemingly online from at least March 2017 until May 25, 2019.
It’s not clear if any unlawful users accessed the files during this time, but the bare information could have been extremely valuable to scammers.
First American has closed its website in reaction to the incident and has initiated an investigation. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said.
Dave Farrow, Senior Director of Information Security at Barracuda Networks, labeled the IDOR vulnerability as a “very common programming mistake.”
Furrow said, “The result in this case is a trove of very sensitive information that can be used to fuel the next stage of an attack in the form of identity theft, spear phishing or Business Email Compromise (BEC).” He added that it appeared that breaches like that would continue to occur.
“While we must continue improving the security of our applications and systems, that is just the first line of defense. This defense is only as strong as the weakest vendor we share our data with. Or the strongest partner they share our data with. One vendor could be doing a perfect job protecting our privacy. But that doesn’t necessarily stop another vendor from losing the same information that they’re both trying to protect.”
“We must implement defense in depth. One line of defense includes reviewing how a malicious person in possession of leaked information may attempt to use it against us or our customers. Account takeovers, wire transfer fraud, and identify theft all come to mind. There appears to be no shortage of creative ways that someone can defraud their fellows these days,” he warned.