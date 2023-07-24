Money vulnerability in Bonify app

Hacker publishes Jens Spahn’s Schufa information

As of: 4:58 p.m. | Reading time: 2 minutes

At times, unauthorized rental creditworthiness certificates could be called up in the app

Source: dpa/Peter Kneffel

Security researcher Lilith Wittmann obtained protected data via a security leak in the app of the Schufa subsidiary Bonify. On Twitter she published the rental creditworthiness of the former Health Minister Jens Spahn. The app then went offline.

A serious security gap has opened up in the Bonify app presented by Schufa to provide insight into one’s own creditworthiness. Unauthorized rental creditworthiness certificates could be retrieved via the app of the Schufa subsidiary Bonify. This emerges from publications by the security researcher Lilith Wittmann from the hacker collective “Zerforschung” on Twitter and Mastodon. On Monday afternoon, the Schufa service could not be reached via the app. About the incident, the “Southgerman newspaperreported.

Wittmann had exploited a vulnerability in identity verification. “Because after you have verified your data using the Bankident procedure, you can update it for about a second via a programming interface,” Wittmann wrote on Mastodon.

In this way, the hacker activist had the so-called Boniversum score issued by the CDU politician Jens Spahn. The Boniversum score corresponds to the rental creditworthiness certificate. This is not Schufa’s broader credit score, which also tracks cell phone contracts, loans, credit card activity, bank accounts, and other data.

When asked about the Schufa, it was said that according to the current state of knowledge, the expert had “discovered a gap in the account identification process between Bonify and Boniversum that could be exploited to exchange one’s own address with an external one.” It was therefore not possible to query the Schufa score. “Schufa data was never affected by the incident.”

The comprehensive Schufa rating is important for consumers. Banks, mail order companies, mobile phone companies or energy suppliers inquire about the creditworthiness of their customers from private credit agencies such as Schufa.

