Following the news that the web site for Fortune 500 real estate title insurance giant, First American Financial Corp has just been informed it has been leaking hundreds of millions of documents related to mortgage deals going back to 2003, please see below comments from security experts at HackerOne:
Jon Bottarini, Hacker and Lead Federal Technical Programs Manager at HackerOne:
“At first glance it appears that this vulnerability is an Insecure Direct Object Reference (IDOR) because the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time. What’s interesting is that since a large majority of lenders use First American, it is highly possible that some of the recent scams regarding escrow fraud could be related to this breach in particular.
Escrow fraud works by depending on both naivité and speed as it relies on fake email accounts to execute the scam. Fraudsters do this by hacking into a title company’s system to retrieve emails and information about upcoming home purchases. If a scammer had access and decided to exploit this vulnerability in particular, it would save a ton of time and effort and make this scam very easy to pull off because they would have all the Personal Identifiable Information (PII) necessary without having to hack into each individual title company. Once the fraudster has this information, it is quite easy to spoof the title company’s site and send instructions to the end user to wire money needed to close on a property, usually to the fraudster’s account.”
Marten Mickos, CEO at HackerOne:
“As we have seen many times before, some of the biggest leaks could have been easily prevented. In bug bounty programs run on HackerOne over 2,000 vulnerabilities of the same type were found and fixed in the last year — earning ethical hackers over $1.5 million in rewards for these discoveries. Since a large majority of lenders use First American, it is not unlikely that recent escrow scams are related to this leak. As a society, we must hold companies responsible for storing personal information safely and securely.
It’s important for companies, especially those dealing with mounds of sensitive personal data, need to have a public-facing way to report bugs and vulnerabilities. As a society, we must agree and mandate that anyone providing a digital product or service must have a proper way of receiving bug reports and fixing the problems. We owe this to each other. Society has figured out hospital hygiene and airline safety, to name just two areas, and similarly we need to jointly and resolutely figure out software security. Even if millions of people find nothing to report, and thousands may report something that isn’t really a bug, it still is worth it when just one person finds something of this scale.”