A privacy flaw enabling open access to millions of property records on the Immobilise UK National Property Register website has been identified and fixed.
Security expert, Paul Moore discovered a flaw which allowed access to other peoples’ records.
The site makes it possible for users to list and add details about valuables in their homes to the National Property Register, which counts an estimated 4.2 million users and 28 million records. The records included names, telephone numbers, addresses, as well as valuables and their estimated worth and serial numbers. Of course in the wrong hands this information provided a handy tool for burglars and other such malevolent individuals to compile a rundown of potential targets.
The system is recommended by the policing association ACPO, and is used by most UK police forces to reunite stolen belongings with their rightful owners.
Moore discovered that by altering the ID number contained within the website’s URL, different consumer records could be downloaded, with no security authentication needed to access the ““/verify” & pdf generation pages.”
Moore wrote on his blog post:
An attacker wouldn’t know the “User ID” or “Certificate ID”, so it’s safe, right?
Far from it! The numbers aren’t random, they’re sequential, thus deterministic. If the last certificate number is 7161519, the next is 7161520 and so on. However, if someone happens to add another item to their account before you, your next number is 7161521.
By simply looping through every combination, it’s possible to collect all 28+ million entries.
Moore refers to this flaw as a direct object reference exploit, or an “open DOR” attack, suggesting the ease of identifying and exploiting the bug.
Recipero, operators of Immobilise, released a statement confirming that the vulnerability had been discovered and patched, and that there was no evidence to suggest consumer information had been breached.
Recipero, the provider of the Immobilise.com property register, confirms that a vulnerability in the website process has been identified. The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item.
This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage.
The firm also confirmed that a POODLE/SSLv3 exploit had also been resolved.