0
The XSS vulnerability in action. (Image: ZDNet)
Equifax’s site used to set up credit account monitoring in the wake of last week’s security breach is also vulnerable to hackers, ZDNet has learned.
In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.
The problem is that that Equifax’s site used to set up alerts on individual’s credit rating history (which we are not linking to) can be easily spoofed, security researcher Martin Hall told ZDNet.
The site is used to request a 90-day fraud or active duty alert for credit report holders — thought to be the majority of Americans.
But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.
The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax’s site.
In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer’s social security number and other personal information.
That data could be seen by a malicious actor as soon as the information is submitted.
Because the malicious code is included in Equifax’s web address, the malicious prompt will be part of the Equifax domain. The browser thinks that the site is still secure, and displays the “lock” icon in the browser window. That also means that it’s difficult to spot from a spam or phishing email because the code is loaded from Equifax’s legitimate domain.
0