Schufa app security flaw: Bonify enabled requests for third-party credit scores

Last week, Schufa unveiled Bonify, an app that allows private users to examine their own basic credit report score. However, a security flaw made it possible to access accounts belonging to other people. Thus, IT security specialist Lilith Wittmann had access to Jens Spahn’s fundamental rating.
Tanja Birkholz, CEO of Schufa Holding AG, addressed the public on the occasion of the launch of the Bonify app, saying, “The new Schufa aims to increase transparency and give people more control over their data in the future.” That seemed to have worked too well. Since last week, it has been free and feasible to always check one’s own basic score via the webapp. The better Schufa determines a person’s creditworthiness, the higher the score. As the year progresses,

Forteil, a Schufa subsidiary, is creating Bonify. It is underlined that despite their tight affiliation, these businesses are legally independent and do not share resources like databases. Therefore, access to Schufa data via Bonify would require the user’s express permission.

Retrieve credit scores from third-party accounts

However, from the beginning, the app had issues, according to Spiegel: frequently, users were only shown a Boniversum score based on information other than the claimed Schufa score in place of the Schufa score. And over the weekend, Lilith Wittmann demonstrated on Mastodon and in a Medium article that she was able to dig through other people’s data as well. She could still access the Bonify data of more than 20 people, though. One of them

The information also contains the private address, specifics about past payments, information about debt collection and court proceedings, and prospective stock ownership in potential firms. With the exception of his Boniversum score, Spahn’s information could be independently confirmed because it was made public knowledge as a result of his villa affair.

A weakness in the BankIdent process, which Forteil employs to authenticate users, allows access. Basically, the user’s personal bank account is used for the comparison. However, there is a window of time of around 1 second during which the name might be changed before the system checks the data. Thus, in this instance, a foreign access is verified by the own bank account. According to Littmann, a prepared request can be sent to the interface using a tool. So, all it takes to access foreign data is a timely button hit.

Consumer advocates advise against signing up with bank access.

The Bonify online app is currently unavailable once more due to maintenance, according to the creators. They claim in a statement to Der Spiegel that the “score published by Lilith Wittmann was based solely on the information entered by the activist from Mr. Spahn.” He wouldn’t have had any of his financial or personal information recorded. Meanwhile, Schufa claims that its own data would not have been impacted.
Even if the security flaw ultimately proves to not be too catastrophic, the software still has issues. The North Rhine-Westphalia consumer advisory center expressly advises against the data that users provide when they register via account access. They permanently offer access to the system in this manner.

Consumer activists believe that simply having access to the data is a concern, even if Schufa is not permitted to use it for grading reasons. Dealings with third-party suppliers are another issue relating to data privacy. The complaint is that Bonify shares personal information with several partners, according to sources.

Leave a Comment