Sign up to our newsletter
A website recommended by large portions of the UK’s police forces has fixed a privacy bug that provided a “shopping list for burglars” after being tipped off to the exploit by a security researcher, reports the BBC.
Immobalise – which has an estimated 4.2 million users – is a security website that allows people to add records to the UK’s National Property Register, letting them list the valuables in their home. Security researcher Paul Moore discovered an exploit which would allow others to view the full list of valuables registered by clients, creating a “shopping list for a would-be burglar.” It is estimated there are 28 million records on the site.
Moore discovered that by changing ID numbers in the site’s URLs, other peoples’ records could be accessed without any further security checks. These records included the names, addresses and list of costed valuables in each home. The Register notes that due to a lack of compartmentalization, “no passwords were requested to access the “/verify” & pdf generation pages.”
“They’ll know your name, home address, telephone number(s), email address, the make/model of your item, any identifying factors (serial numbers, IMEIs, unique marks etc) and even how much it’s worth,” Moore wrote.
Recipero, the company behind the Immobalise website, issued a statement explaining that the website had since been fixed to prevent this breach: “The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item. This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage.”
Recipero’s Chief Operating Officer Les Gray told BBC News that there were some “inaccuracies” in Moore’s original post, but would not be drawn on what these were. They also fixed a possible exploit that took advantage of the recently uncovered POODLE vulnerability.
According to the BBC, the Association of Chief Police Officers “welcomed the speed at which the vulnerability was fixed, but added it would be discussing the matter with Recipero.”
Author Alan Martin, ESET