The website set up by Equifax to enable credit account monitoring following last week’s comprehensive security breach is also vulnerable to hackers.
The aftermath of last week’s breach saw millions of users setting up alerts and freezes on one or multiple credit accounts. As it turns out, a new website used by Equifax to set up alerts on an individual’s credit rating history can be spoofed easily, a security researcher has discovered.
As reported by ZDNet, security researcher Martin Hall revealed that the credit alert website can be ‘easily spoofed. The website allows users to request a 90-day fraud or active duty alert for credit report holders. However, the vulnerabilities in the website enables hackers to steal personal information of those who visit the website.
Specifically, the website is vulnerable to a cross-site scripting (XSS) attack, allowing an attacker to run a malicious code on a website or a web application. With the malicious code included in Equifax’s web URL, the prompt will essentially become a part of the Equifax domain. The browser, however, still assumes the website is secure with a ‘lock’ icon on the browser window.
Essentially, anyone who is made aware of the code can use it in phishing emails to gather personal information from unsuspecting consumers.
“I looked at the code and noticed that I could break out of the developers code into my own,“ Hall told ZDNet. “This gives me full permission to change the page to say or load any content I want.”
Alarmingly, Hall added that he had reached out to Equifax’s security team about multiple flaws in the company’s website but he did not hear back from the company.
Meanwhile, two key US senators have demanded Equifax answer detailed questions about the breach, which affected some 143 million Americans.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the letter by Senator Orrin Hatch who chairs the Finance Committee and ranking Democrat Ron Wyden.
Image credit: Pixabay.