About 885 million documents, including bank account numbers, mortgage records, Social Security numbers, drivers’ license images and tax records, have been leaked by First American Financial Corp.’s website.’
Anyone with a web browser and a URL for a legitimate document could access the real estate title company’s records, according to a report by KrebsOnSecurity, which noted many of the documents related to wire transactions involving property buyers and sellers.
“At first glance it appears that this vulnerability is an insecure direct object reference (IDOR) because the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number,” said Jon Bottarini, hacker and lead federal technical programs manager at HackerOne. “Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time.”
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.