Security gap: Schufa tenant information can be called up under someone else’s name

2023-07-24 15:22:37

Security gap Schufa tenant information can be called up under someone else’s name

There was a serious security gap in Schufa’s Bonify app. photo

© Peter Kneffel/dpa

With a new app, Schufa wants to make it easier for consumers to access personal information. Now, however, there was a glaring security problem.

In the Bonify app presented by Schufa to view your own creditworthiness, there is a serious problem Vulnerability gaped. Unauthorized rental creditworthiness certificates could be retrieved via the app of the Schufa subsidiary Bonify. This emerges from publications by the security researcher Lilith Wittmann from the hacker collective “Zerforschung” on Twitter and Mastodon. On Monday afternoon, the Schufa service could not be reached via the app. The “Süddeutsche Zeitung” first reported on the incident.

Wittmann had exploited a vulnerability in identity verification. “Because after you have verified your data using the Bankident procedure, you can update it for about a second via a programming interface,” Wittmann wrote on Mastodon. In this way, the hacker activist had the so-called Boniversum score issued by the CDU politician Jens Spahn. The Boniversum score corresponds to the rental creditworthiness certificate. This is not Schufa’s broader credit score, which also tracks cell phone contracts, loans, credit card activity, bank accounts, and other data.

When asked, Schufa said that according to the current state of knowledge, the expert had “discovered a gap in the account identification process between Bonify and Boniversum that could be exploited to exchange one’s own address with a foreign one.” It was not possible to query the Schufa score. “Schufa data was never affected by the incident.”

The comprehensive Schufa rating is important for consumers. Banks, mail order companies, mobile phone companies or energy suppliers inquire about the creditworthiness of their customers from private credit agencies such as Schufa.

Wittmann received criticism online for her decision to illustrate her message about the Bonify hack with screenshots of Spahn’s Boniversum score, which also shows the date of birth and the address of the former Federal Minister of Health. “Privacy not your thing, huh?” wrote a Twitter user. Wittmann justified himself by saying that the data had been known anyway since the discussion about the controversial purchase of a villa by Spahn.

dpa

#Subjects
#Security #gap #Schufa #tenant #information #called #elses