Spahn victim of vulnerability
IT expert uncovers data leak at Schufa subsidiary
This audio version was artificially generated. More info | Send feedback
Using a trick, tenant information can be accessed under someone else’s name from the Schufa subsidiary Bonify. An IT expert shows: Identity verification has a weak point. She uses it and has CDU politician Jens Spahn’s Boniversum score issued to her.
There was a serious security gap in the Bonify app presented by Schufa to view your own creditworthiness. Rental creditworthiness certificates could be accessed without authorization via the app from the Schufa subsidiary Bonify. This emerges from publications by security researcher Lilith Wittmann from the “Zerforschung” collective on Twitter and Mastodon. In the afternoon, the Schufa service could not be reached via the app.
Wittmann had exploited a vulnerability in identity verification. “After you have verified your data using the Bankident process, you can update it for about a second via a programming interface,” wrote Wittmann on Mastodon. In this way, the activist had the so-called Boniversum score issued by CDU politician Jens Spahn. The Boniversum score corresponds to the rental creditworthiness certificate. This is not Schufa’s more comprehensive credit score, which also records cell phone contracts, loans, credit card activity, bank accounts and other data.
Bonify in need of explanation
Upon request, Schufa said that based on the current state of knowledge, the expert had “discovered a gap in the account identification process between Bonify and Boniversum that could be exploited to exchange one’s own address with a third-party address.” It was therefore not possible to query the Schufa score. “Schufa data was never affected by the incident.”
Bonify co-founder Andreas Bermig said that at no time was personal or financial data of Spahn or other people hacked or transmitted. “The score published by Lilith Wittmann was based solely on the information entered by the activist from Mr. Spahn.”
The comprehensive Schufa assessment is important for consumers. Banks, mail order companies, mobile phone companies or energy suppliers inquire about the creditworthiness of their customers from private credit agencies such as Schufa.
Wittmann received criticism online for her decision to illustrate her message about the Bonify hack with screenshots of Spahn’s Boniversum score, which also show the date of birth and address of the former Federal Health Minister. “Privacy isn’t your thing, huh?” wrote one Twitter user (Privacy = data protection). Wittmann justified himself by saying that the data had been known since the discussion about Spahn’s controversial purchase of a villa.
