In order to point out a security gap in the Schufa app Bonify, a security researcher shared tenant information from former Health Minister Jens Spahn on Mastodon. After the problem became known, the Bonify service has now been switched off for the time being.
In December 2022, the Bonify company was taken over by Schufa. In the app of the same name, users can check whether they are creditworthy or not. This means they should be able to call up their creditworthiness at any time and free of charge – for more transparency, it was said at the time. However, after the tenant information could be accessed by other people at the weekend due to a security gap, the app is now offline for the time being.
The data of the former Minister of Health Jens Spahn was also published – by the security researcher Lilith Wittmann.
Wittmann, who is part of the Zerforschung hacker collective, got hold of tenant information from the CDU politician through the gap. “You may have heard of Bonify,” says her post, which is still available on the microblogging service Mastodon, “a subsidiary of Schufa that shows you your creditworthiness and also issues tenant information. She doesn’t just do that for you personally, but for anyone you ever want a credit report for.”
“We apologize for the inconvenience”
By sharing the information from Jens Spahn – all “public” information, as the expert emphasized – Wittmann drew attention to the app’s security gap: “Because after you have verified your data using the Bankident procedure, you can update it for about a second via a programming interface,” she explained. “That’s how I got Jens Spahn’s Boniversum score, for example.”
Wittmann published a screenshot of the tenant information. After the vulnerability became known, Bonify spoke up: “We apologize for the inconvenience, we are currently carrying out maintenance work,” says the app and the website. The service has been shut down for the time being and Bonify will be “back online shortly”.