The credit rating agency Schufa recently released an updated version of a subsidiary’s app Bonify, with which consumers themselves can view their credit rating according to Schufa free of charge. Tenant information is also available for a fee. Schufa aims to increase transparency and give people more control over their data. However, a security hole in the app allowed for the retrieval of any data from the service for a short period of time. This was discovered by hacker and activist Lilith Wittmann.
Wittmann explains that creditworthiness information for any person can be obtained via the gap she discovered in the app API. This is possible immediately after the verification process, but only for a second. Wittmann obtained tenant information about a CDU politician and published the screenshots on Mastodon.
There are two ways to register with the Bonify app: through IDNow provider’s identification process or by registering with a bank account. It remains to be seen if the gap described by Wittmann is limited to the identification process. It is unlikely that massive amounts of data can be accessed through the vulnerability due to the restrictive conditions and the short one-second timeframe, but it is not completely impossible.
Wittmann has not yet notified Schufa about the problem. Currently, the Bonify service is down for ongoing maintenance. Schufa reports that Wittmann discovered a gap in the account identification process between Bonify and the Creditreform Boniversum involved. This allowed for the exchange of one’s own address for someone else’s. Schufa data was not affected by the incident due to their security standards. Schufa is working on transferring their security and quality standards to the Bonify subsidiary, with relevant security analyses to be completed by autumn of this year.
