Inman

Big real estate software vendor Lone Wolf admits to vulnerability, says it’s fixed

Photo by Patrick Hendry on Unsplash

Large real estate tech vendor Lone Wolf Technologies‘ legacy software platform loadingDOCS had a security vulnerability that could have potentially exposed stored information to hackers, though there is no evidence that data was breached, a company spokesperson told Inman, citing an internal study.

“We did have a small security vulnerability on a product that’s called loadingDOCS, which our legacy document review solution,” said Kate Annis, Lone Wolf’s vice president of marketing. “There’s less than 50 customers on it. We eliminated the issue within hours of the discovery. There was no evidence that any data was breached.”

Lone Wolf is a real estate software company that says it supports over 10,000 real estate offices in the United States and boats more than 50 percent of the top 500 residential brokerages as clients – including at RE/MAX, where the software is offered as a perk, and the NRT companies (a subsidiary of Realogy).

LoadingDOCS is a product the company no longer sells on the market – it’s been replaced by TransactionDesk.

“It was greatly exaggerated how much the vulnerability could have been,” said Annis. “You would need client does and a whole bunch of information to even access the data, but no data was accessed at all. We did significant studies to show nothing was found at all to have had a data breach.”

Canadian real estate company eZmax posted the alert on SECLists.org, which said randomly changing the number at the end of Lone Wolf’s customer data URLs allowed anyone to remotely access multiple files from multiple customers.

“So anyone using a robot could download thousands of files containing sensitive information,” the email read. “(Brokerage contracts, trust account details, Fintrac details, etc). We don’t even need to be logged in the software as these URLs are public facing without any session or user validation.”

According to the alert, the issue was discovered by another company on August 3rd and Lone Wolf was notified first on August 17. They were notified again on September 5 and allegedly addressed the problem on September 6. Lone Wolf then allegedly disclosed the vulnerability on September 10.

A spokesperson for eZmax told Inman it notified Lone Wolf of the break, then followed protocol as required, reporting the breach to a security list.

Lone Wolf’s signature product is brokerWolf, a back-end office solution that provides transaction management, accounting, automated commissions and expenses and reports on membership and profitability, according to the company website.

In an email, a spokesperson from RE/MAX confirmed its approved suppliers program was not notified of any security issues.

Email Patrick Kearns

Update: Story was updated to add clarifying details about eZmax’s role in notifying the public of the security issue.