If you’re not one to use iOS’ automatic updates feature, make sure to grab the latest updates for Experian – Free Credit Report and myFICO Mobile. A security vulnerability discovered by Verify.ly shows that attackers would have been able to intercept user login credentials on older versions of the clients. After having disclosed the vulnerabilities to both companies, it appears that the security holes have been fixed appropriately.
The applications Experian — Free Credit Report and myFICO Mobile are both financial applications built with the purpose to keep users informed of their credit report and information. Keeping an eye on your credit report can help spot identity theft, invalid derogatory marks, and help with seeing the impact that debt payments have overall on a score. According to Apptopia, in the past 180 days Experian’s application shows a download count of about 270,000 and myFICO’s about 39,000 .
Will Strafach, founder of Verify.ly, had reached out to me a month ago pointing out that Verify.ly had discovered a vulnerability in two big-name financial applications. Experian and myFICO’s applications had not been using proper authentication methods when connecting to their services, thus allowing attackers to intercept a user’s login credentials. As of the latest updates, both Experian – Free Credit Report and myFICO Mobile have been updated to fix these glaring security holes, though.
Delving into the specifics, both applications were using incomplete TLS implementations. TLS, a security protocol that ensures encrypted data when communicating with services over the internet, was not being implemented correctly within the applications like they should have been. In a properly configured environment, the TLS implementation would ensure that the user’s login credentials and data was being sent over the internet encrypted and securely such that it could not be read by a malicious attacker.
Part of the TLS protocol is that the client, in this case the iOS applications, ensures that a certificate received from the web service is valid and belongs to whom it should. Neither Experian nor myFICO’s applications were confirming the validity of the certificate, thus allowing invalid certificates to be accepted when they shouldn’t have been. In accepting these invalid certificates, Experian and myFICO’s applications opened the doors to a vulnerability in which an attacker could grab the user’s credentials when connected to a malicious network. There is a distinct irony in that these two applications are used to detect fraud on one’s credit report, yet was open to fraudulent activity themselves.
After having received the notice from Strafach regarding the vulnerabilities in both applications, I had set out and tested each application independently and validated them myself as well. Using Charles Proxy on a private home network, I was able to validate that both applications were open to accepting invalid certificates. In doing so, login credentials entered into the application were visible to me in my testing.
The problem in situations like this is that you may have already been vulnerable to the attack and not even know it. In a real-world scenario the attacker would trick users into connecting to their devices using sophisticated methods like ARP spoofing, forcing you off your own network and onto theirs, or just by using attractive network names like “FREE AirPort Wi-Fi,” and once users connect to the network their credentials would then be visible to the attacker. Once users on these networks begin logging into their applications, the credentials would have then been sent over the network unencrypted leaving the attackers a very visible view at the username and password. This data could then be used in a combination of ways to attempt to access other accounts online.
Will Strafach and I both contacted Experian and myFICO Mobile independently to disclose the vulnerability. Strafach was told by Experian corporate that their IT security team would not take any outside calls, no exceptions. After further discussion with the operator, she relayed to him that there was nothing further she could do to help. My response to Experian was a tad bit more generic indicating that their applications have “gone through rigorous security testing prior to release and we continuously improve security measures with each release to ensure the safety of a user’s data.”
Experian takes information security very seriously. Our mobile applications have gone through rigorous security testing prior to release and we continuously improve security measures with each release to ensure the safety of a user’s data. In regards to the issues with TLS, we plan to remove older versions in the very near future, well before the dates specified by both Apple and the Payment Card Industry Security Standards Council (PCI SSC).
— Statement from Experian
When contacting the myFICO team, they were a bit more receptive to the situation. Both Strafach and I were told to email the team independently, unfortunately I only received back the following automated message from their mail server: “The recipient’s mailbox is full and can’t accept messages now. Please try resending your message later, or contact the recipient directly.”
As of today, both applications’ vulnerabilities have been resolved. Grab the updates on the App Store for Experian — Free Credit Report and myFICO Mobile as soon as you can, and make sure you’re updated and running iOS’ latest builds.
If you were using any of the older versions of the applications, we recommend changing your account passwords, and any other accounts with the same user credentials. Consider using a password manager like LastPass or 1Password for added security.