BROOKFIELD, Wis.—Fiserv said it has fixed a web platform weakness that exposed personal and financial details of customers/members across hundreds of financial institutions' websites, Krebs on Security reported.
The flaw was found when a security researcher began playing with transaction alerts he received from his bank, which uses Fiserv's platform in his web browser. By changing the specific "event numbers" he received on his transactions in the web browser, the researcher could then view and edit alerts set up by another bank customer, allowing him to see that customer's email address, phone number and the last four digits of their bank account number, Krebs reported.
This flaw could have potentially allowed a cybercriminal to target those customers who have signed up for such banking alerts, Krebs said.
Fiserv said in a statement that the problem stemmed from an issue with “a messaging solution available to a subset of online banking clients.” Krebs said Fiserv declined to say exactly how many financial institutions may have been impacted overall. However, experts told Krebs that some 1,700 FIs currently use Fiserv’s retail banking platform.
‘A High Priority’
“Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave told Krebs, saying that after the company received an email from Krebs about the matter it “promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”