Security vulnerabilities in systems used by several South African banks exposed the personal data of people who applied for home loans.
Information about the flaw came from a source who spoke to MyBroadband on condition that they remain anonymous.
The existence of the flaws were confirmed by E4 Strategic, the company which develops and maintains the systems. The company also stated that the vulnerabilities were discovered and fixed, and that there is no evidence of any data being leaked.
However, according to the source, vulnerabilities still exist in the systems.
The source explained that E4’s services are used by attorneys around South Africa to register and cancel home loans with nearly all the major lenders. Certain banks are less exposed to the issue than others, but the source said that all are exposed in some way.
They said that the exposed data includes ID documents, home loan application information (including the cost of credit), and the property valuation.
Additionally, the source said that it is not only new home loan applications that are exposed, but potentially all home loans dating back to 2010.
MyBroadband has seen evidence that a web-based application programming interface (API) provided by E4 Strategic exposes information to anyone on the Internet who knows where to look.
Requests to the API are not encrypted, nor are the responses from it. It does not seem to require authentication to query the API.
The API that MyBroadband saw could not be used to directly query the personal data of home loan applicants. However, the source said that data from one API may be used to extract the personal information of home loan applicants from another.
Web-based APIs, generally referred to as web services, share many of the same technologies as websites.
When you send a request to a web server that hosts a website, you get back a webpage which can be displayed in a browser. This article is an example of a webpage.
Web services, on the other hand, generally respond with data that is formatted in a way for developers to use in other applications.
For example, data leak and breach notification service Have I Been Pwned? (HIBP) provides a web service at the URL – https://haveibeenpwned.com/api
While most of the queries supported by the HIBP API require an authentication key, it is possible to query the API for general information about breaches without a key.
To get information about the breach of South African traffic fine website ViewFines, for instance, you can simply send a web request (known as a GET) to – https://haveibeenpwned.com/api/v3/breach/viewfines
As web browsers use GET requests to retrieve pages from web servers, you can visit the HIBP URL in your browser to get an idea of what the response from a web service looks like.
Response from E4 Group
Ryan Barlow, the group chief information officer for E4, thanked MyBroadband for bringing the vulnerabilities reported by our source to their attention.
“Please note that we were already well aware of the issues and we can categorically state that the security vulnerabilities have already been patched,” Barlow said.
“As a technology business we take information security extremely seriously and as such do routine security checks on all our systems. As part of these checks, security issues are brought to our attention and dealt with appropriately as would be expected under the ordinary course of business.”
Barlow said that the company has an Information Security Officer to ensure that information security and data privacy are dealt with as an utmost priority in their business.
“In addition, we also have reputable external security consultants that ensure that we comply with the most stringent security controls, which are becoming more of a requirement, in particular with regards to our major banking clients.”
The Information Security Officer and one of the external security consultants serve on E4’s Vulnerability Patch Management Group, or VPMG, along with representatives from E4’s technical team.
“An Information Security Steering Committee has also been running for a number of years to track security threats on an ongoing basis,” Barlow said.
He also said that their major banking clients regularly audit E4’s security, and that the company is subject to information security audits from its external auditors.
“Finally, in relation to this matter, to the best of our knowledge there has been no unauthorised access to our data or the data that we store on behalf of our clients,” Barlow said.