Zamen | زامن
PSA: Security vulnerability discovered, update your Experian and myFICO Mobile iOS apps ASAP
If you're not one to use iOS' automatic updates feature, make sure to grab the latest updates for Experian – Free Credit Report and myFICO Mobile. A security vulnerability discovered by Verify.ly shows that attackers would have been able to intercept user login credentials on older versions of the clients. After having disclosed the vulnerabilities to both companies, it appears that the security holes have been fixed appropriately.The applications Experian — Free Credit Report and myFICO Mobile are both financial applications built with the purpose to keep users informed of their credit report and information. Keeping an eye on your credit report can help spot identity theft, invalid derogatory marks, and help with seeing the impact that debt payments have overall on a score. According to Apptopia, in the past 180 days Experian's application shows a download count of about 270,000 and myFICO's about 39,000 .Will Strafach, founder of Verify.ly, had reached out to me a month ago pointing out that Verify.ly had discovered a vulnerability in two big-name financial applications. Experian and myFICO's applications had not been using proper authentication methods when connecting to their services, thus allowing attackers to intercept a user's login credentials. As of the latest updates, both Experian – Free Credit Report and myFICO Mobile have been updated to fix these glaring security holes, though.Delving into the specifics, both applications were using incomplete TLS implementations. TLS, a security protocol that ensures encrypted data when communicating with services over the internet, was not being implemented correctly within the applications like they should have been. In a properly configured environment, the TLS implementation would ensure that the user's login credentials and data was being sent over the internet encrypted and securely such that it could not be read by a malicious attacker.Part of the TLS protocol is that the client, in this case the iOS applications, ensures that a certificate received from the web service is valid and belongs to whom it should. Neither Experian nor myFICO's applications were confirming the validity of the certificate, thus allowing invalid certificates to be accepted when they shouldn't have been. In accepting these invalid certificates, Experian and myFICO's applications opened the doors to a vulnerability in which an attacker could grab the user's credentials when connected to a malicious network. There is a distinct irony in that these two applications are used to detect fraud on one's credit report, yet was open to fraudulent activity themselves.After having received the notice from Strafach regarding the vulnerabilities in both applications, I had set out and tested each application independently and validated them myself as well. Using Charles Proxy on a private home network, I was able to validate that both applications were open to accepting invalid certificates. In doing so, login credentials entered into the application were visible to me in my testing.