About 885 million documents, including bank account numbers, mortgagerecords, Social Security numbers, drivers’ license images and tax records, havebeen leaked by First American Financial Corp.’s website.’
Anyone with a web browser and a URL for a legitimate document could access the real estate title company’s records, according to a report by KrebsOnSecurity, which noted many of the documents related to wire transactions involving property buyers and sellers.
“Atfirst glance it appears that this vulnerability is an insecure direct object reference(IDOR) because the developer who found the vulnerability stated that he wasretrieving different documents by simply changing the document number,” said JonBottarini, hacker and lead federal technical programs manager at HackerOne. “Modifyingthe document number in his link by numbers in either direction yielded otherpeoples’ records before or after the same date and time.”
The impactof the exposure is unknown. “It should be notedthat while the vulnerability in the system has been confirmed, it’s unclearthat it was exploited by malicious individuals. In that respect, it isdifficult to assess the full impact at this moment,” said Hardik Modi, senior directorof threat intelligence at NetScout. “I would expect that an investigation oflogs should reveal whether there was actual malicious access of records at anyscale.”
But Bottarini noted “that since a large majority of lenders use FirstAmerican, it is highly possible that some of the recent scams regarding escrowfraud could be related to this breach in particular.”
Successful escrow fraud plays on both “naivité and speed as itrelies on fake email accounts to execute the scam,” he said. “If a scammerhad access and decided to exploit this vulnerability in particular, it wouldsave a ton of time and effort and make this scam very easy to pull off becausethey would have all the Personal Identifiable Information (PII) necessarywithout having to hack into each individual title company.” Arrmed with thatinformation, the fraudster can easily “spoof the title company’s site and sendinstructions to the end user to wire money needed to close on a property,usually to the fraudster’s account.”
The FirstAmerican incident is just the latest in a string of examples of how many of thelegacy systems that underlie our society areinherently flawed,” said Ernesto DiGiambattista, founder and CEO,ZeroNorth. “We know the company exposedhundreds of millions of records that date back 16 years, but we don’t yet knowhow long they had been exposed.”
Since threatactors “continue to exploit vulnerabilities that may have existed for months oryears, and as business and economies are increasingly driven by technology,”DiGiambattista said, “the threat of legacy systems becomes more severe.”