Imagine things are bad enough that you need a payday loan. Then imagine flaws in systems of loan lead generators leave your records in the open... for years • The Register

Two separate internet affiliate networks have closed vulnerabilities that exposed potentially millions of records in one of the most sensitive areas: payday loans.

US-based software engineer Kevin Traver contacted us after he found two large groups of short-term loan websites that were giving up sensitive personal information via separate vulnerabilities. These groups all gathered loan applications and fed them to back-end systems for processing.

The first group of sites allowed visitors to retrieve information about loan applicants simply by entering an email address and a URL parameter. A site would then use this email to look up information on a loan applicant.

"From there it would pre-render some information, including a form that asked you to enter the last four digits of your SSN [social security number] to continue," Traver told us. "The SSN was rendered in a hidden input, so you could just inspect the website code and view it. On the next page you could review or update all information."

You think you're applying for a payday loan but you're actually at a lead generator or its affiliate site... They're just hoovering up all that information
Traver found a network of at least 300 sites with this vulnerability on 14 September, each of which would divulge personal information that had been entered on another. After contacting one of these affected sites - namely coast2coastloans.com - on 6 October we received a response from Frank Weichsalbaum, who identified himself as the owner of Global Management LLC.

Weichsalbaum's company collects loan applications generated by a network of affiliate sites and then sells them on to lenders. In the affiliate world, this is known as a lead exchange.

Affiliate sites are common entry points for people who search online for loans, explains Ed Mierzwinski, senior director of the Federal Consumer Program at US PIRG, a collection of public interest groups in North America that lobbies for consumer rights. "You think you're applying for a payday loan but you're actually at a lead generator or its affiliate site," he told The Register. "They're just hoovering up all that information."

How does it work?
Weichsalbaum's company feeds the application data into software known as a ping-and-post system, which sells that data as leads to potential lenders.

The software starts with the highest-paying lenders first. The lender accepts or declines the lead automatically based on their own internal rules. Each time a lender refuses, the ping tree offers the lead to another who is prepared to pay less. The lead trickles down the tree until it finds a buyer.

Weichsalbaum was unaware that his ping-and-post software was doing more than sucking in leads from affiliate sites. It was also exposing the information in its database via at least 300 sites that connected to it, Traver told us.

Affiliates would plug his company's front-end code into their sites so that they could funnel leads through to his system, Weichsalbaum told us, adding that the technical implementation was flawed.

"There was an exploit which allowed them to recall some of that data and bring it to the forefront, which obviously wasn't our intention," he said.

His technical team created an initial emergency fix for the vulnerability within a few hours, and then created a long-term architectural fix within three days of learning about the flaw.

Another group of vulnerable sites
While researching this group of sites, Traver also discovered a second group - this time of over 1,500 - that he said revealed a different collection of payday applicant data. Like Weichsalbaum's group, this one had an insecure direct object reference (IDOR) vulnerability which enabled visitors to access data at will directly by altering URL parameters.

Each loan application on this second group of sites generates an ID number. Submitting that number in a POST request to a site in the network caused it to divulge sensitive data about the user, even if it had been entered on another site in the group. In many cases this included their email address, a partial social security number, date of birth, and zip code, along with the amount they applied to borrow.

Submitting this initial information back to the site as more URL parameters in another POST request revealed still more information. The applicant's full name, phone number, mailing address, their homeowner status, driver's licence number, income, pay period, employment status and employer information were all publicly available via many of the sites, along with their bank account details.

Traver proved that he could retrieve different records by simply incrementing the ID parameter in the POST request, often through sites that were not HTTPS encrypted.

The contact page for one of the sites (theloanstore.org) included a graphic that said "Brought to you by Zoom Marketing, INC a Kansas Corporation". Many other sites also included this graphic in their folder structure without displaying it on their public-facing pages.

We sent our findings via the privacy page on theloanstore.org and via Zoom Marketing's website with no response. After two weeks, we tracked down the company's owner: Tim Prier, a Kansas-based entrepreneur and owner of a separate mobile banking company called Wicket. He wouldn't grant an interview but eventually sent us a statement.

His team had addressed the vulnerability within days, he said, attributing it to a "bad code push".

"After conducting an extensive investigation across all Apache and application logs, we are confident that there was no data breach and no data was compromised or exposed," he wrote, adding that Zoom Marketing had not received any complaints from consumers pertaining to identity loss or theft. Zoom Marketing - which he emphasised had no connection to his other companies - is now awaiting an independent security analysis.

How many records were exposed?
When someone misconfigures an S3 bucket, you can analyse all the database records by retrieving the file. Traver couldn't do that with these insecure web applications because each record had to be accessed and counted individually. An attacker could have scripted an attack for mass data collection but Traver didn't, instead opting to test random ID numbers across a range of sequential records.

"You want to show the extent of the problem but you don't want to cross any personal or legal boundaries. All of those boundaries lean towards caution rather than collecting all of the records," he said. "The goal wasn't to collect this data, the goal was to fix it."

Instead, he tested around 170 random ID numbers across a subset of 70 million records served by Prier's back-end system and found roughly 80 per cent of the ID numbers returning valid personally identifiable information (PII).

He also analysed sequential record ID numbers exposed by Weichsalbaum's system and estimated that roughly 140 million records were available online, dating back to 2014.

Weichsalbaum explained that not all records were unique with full data. Many of them contained minimal or no information after a visitor abandoned a page, but the system kept them so that it could reconcile complaints of spam activity from affiliates.

"It's a decent sized number," he said, describing the real level of exposed data, "but it's definitely not close to 140 million people."

Neither Weichsalbaum or Prier would reveal exactly how many unique records were exposed, or how long for.

What's clear is that this is a significant data exposure in a crucial component of an online lending sector that has grown dramatically in the past two decades, driven by regulatory rollbacks and a vacuum in micro-credit.

Most consumer protection legislation operates at a US state level. Federal regulation took a step backwards when the Consumer Financial Protection Bureau (CFSB), which regulates small lenders federally, repealed a contested 2017 rule. That rule would have required payday lenders to check that applicants could afford to make the payments.

The online lending industry has some large tier one lenders at the top and then a myriad of smaller lenders, say experts - and they're mostly tucked away behind lead exchanges. "Online lending is something that we're interested in and in trying to get a good handle on, but it's a lot more nebulous," explained Charla Rios, a researcher at the Center for Responsible Lending, a non-profit that lobbies for equitable practices in the financial sector. "They're harder to track, for sure."

As the bridge between affiliates and online lenders, lead exchanges are a critical step in the online lending process. Both Weichsalbaum and Prier quickly fixed the vulnerabilities in their systems, but those close to the industry say that there are many other lead generation sites dealing in short-term loans, along with other types of affiliate lead.

A developer who helped create one of the early ping-and-post systems told us that this sector is filled with smaller lead exchanges: "There's so much money in this game that the number of entities involved is just mind-boggling," he said.

He concluded that he left the industry 10 years ago when he saw what was coming: "I told everybody that this kind of crap was going to happen if you just start sending everybody's data all over the place."