First American Financial website leaked 885 million documents
About 885 million documents, including bank account numbers, mortgage
records, Social Security numbers, drivers’ license images and tax records, have
been leaked by First American Financial Corp.’s website.’
Anyone with a web browser and a URL for a legitimate document could access the real estate title company’s records, according to a report by KrebsOnSecurity, which noted many of the documents related to wire transactions involving property buyers and sellers.
“At
first glance it appears that this vulnerability is an insecure direct object reference
(IDOR) because the developer who found the vulnerability stated that he was
retrieving different documents by simply changing the document number,” said Jon
Bottarini, hacker and lead federal technical programs manager at HackerOne. “Modifying
the document number in his link by numbers in either direction yielded other
peoples’ records before or after the same date and time.”
The impact
of the exposure is unknown. “It should be noted
that while the vulnerability in the system has been confirmed, it’s unclear
that it was exploited by malicious individuals. In that respect, it is
difficult to assess the full impact at this moment,” said Hardik Modi, senior director
of threat intelligence at NetScout. “I would expect that an investigation of
logs should reveal whether there was actual malicious access of records at any
scale.”
But Bottarini noted “that since a large majority of lenders use First
American, it is highly possible that some of the recent scams regarding escrow
fraud could be related to this breach in particular.”
Successful escrow fraud plays on both “naivité and speed as it
relies on fake email accounts to execute the scam,” he said. “If a scammer
had access and decided to exploit this vulnerability in particular, it would
save a ton of time and effort and make this scam very easy to pull off because
they would have all the Personal Identifiable Information (PII) necessary
without having to hack into each individual title company.” Arrmed with that
information, the fraudster can easily “spoof the title company’s site and send
instructions to the end user to wire money needed to close on a property,
usually to the fraudster’s account.”
The First
American incident is just the latest in a string of examples of how many of the
legacy systems that underlie our society are
inherently flawed,” said Ernesto DiGiambattista, founder and CEO,
ZeroNorth. “We know the company exposed
hundreds of millions of records that date back 16 years, but we don’t yet know
how long they had been exposed.”
Since threat
actors “continue to exploit vulnerabilities that may have existed for months or
years, and as business and economies are increasingly driven by technology,”
DiGiambattista said, “the threat of legacy systems becomes more severe.”
Gloss