Equifax operated an unsecured, public-facing website that allowed anyone to steal sensitive data on more than 145 million Americans but did nothing when warned about it by a security researcher last year. A scan of Equifax’s internet-connected systems quickly revealed a website that offered up the data, which included names, birthdates, and Social Security numbers.



The site looked like a portal made only for employees but was completely exposed to anyone on the internet. It displayed several search fields, and anyone — with no authentication whatsoever –could force the site to display the personal data of Equifax’s customers, according to the researcher. Motherboard saw multiple sets of the data they were able to access. “I didn’t have to do anything fancy,” the researcher told Motherboard, explaining that the site was vulnerable to a basic “forced browsing” bug. The researcher requested anonymity out of professional concerns.

Discussion

Source: [H]ardOCP – Equifax Was Previously Warned by a Security Researcher