The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.
According to its Wikipedia page, First American Financial is “a leading provider of title insurance and settlement services to the real estate and mortgage industries.”
Krebs learned from Ben Shoval, a real estate developer in Washington state, that a section of First American’s website, firstam.com, had been storing hundreds of millions of title insurance records without proper protection.
The exposed documents contained social security numbers, bank account numbers and statements, driver’s licenses, tax and mortgage records, and wire transaction receipts.
This was the result of an insecure direct object reference (IDOR) vulnerability that allowed anyone to access all the documents stored by First American on this section of its site by modifying the value of a parameter in a link pointing to a valid document. For example, if a document is stored at example.com/file001.pdf, changing the URL to example.com/file002.pdf fetches a different document.
Shoval had been having trouble contacting First American when he reached out to Krebs. Their investigation revealed that the company had been exposing roughly 885 million files. The files — the earliest dated 2003 — were apparently online from at least March 2017 until May 25, 2019.
It’s unclear if any unauthorized users accessed the files during this time, but the exposed information could have been highly useful to scammers.
First American has shut down its website in response to the incident and has launched an investigation. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said.< ..