A hacker has discovered a security vulnerability in the Shofa Bonafai app, which provides information on individuals’ credit scores.
This vulnerability allows for the extraction of rental credit reports without the necessary authorization from Shova.
Security researcher Lilith Wittmann from the hacker collective Zerforschung published the details of the vulnerability on Twitter and Mastodon, and at times, users were unable to access the Shoba service through the app.
A security flaw has been found in the Shufa Boniface app in Germany
The vulnerability was exploited by manipulating the identity verification mechanism, Vitman said:
“Once your data has been verified using the Bankident procedure, you can update it within a second via the API.”
As a result, the hacker activist was able to obtain what is known as a “Boniferum degree” associated with rental credit worthiness, which is awarded to individuals based on the information of politician Jens Spahn.
Please note that this score is not the same as Shofa’s comprehensive credit score, which also tracks mobile phone contracts, loans, credit card activity, bank accounts, and other data.
Shoufa is a credit bureau that contains data on about 68 million people, often without their knowledge. A Shoufa agreement is usually required when signing up for a bank account, mobile phone service, or energy bill.
This gives Shofa permission to share your information with these companies, which then use it to provide an assessment of your payment behavior, including your on-time loan repayment and billing accuracy. Shofa uses an algorithm to calculate your Shofa score.
In response to the incident, Shova said that the vulnerability was related to the account verification process between Bonivai and Boniferum, which allows for swapping a user’s address for another address. She clarified that Shova’s score is currently not queryable.
On his part, Bonify founder Andreas Bermig confirmed that no personal or financial data was hacked or transferred by any youth or anyone else.
He explained that the grade that Lilith Whitman published was based only on the information that the activist entered about the politician Jens Spahn.
Despite this, Whitman was criticized online for publishing sensitive data about young men, such as their date of birth and previous address.
Friman argued that the data was already known, based on the discussion of the controversial purchase of a villa by young people.
You can also stay up-to-date with the latest news about Germany today by subscribing to our notification service on a daily basis, free of charge.