At the end of last week I was contacted privately by security consultant Paul Moore, who had stumbled across a glaring privacy hole on a site which really should have known how to lock up its valuables better.
Immobilise, the UK’s National Property Register, has been used by millions of Brits up and down the country to register the valuable possessions they have in their home.
The (very commendable) idea is that when police collar someone suspicious and find him in possession of items such as luxury TVs, smartphones, tablets, jewellery that might have been stolen in a burglary, they can quickly do an online search to try to track the goods’ genuine owner.
And the Immobilise website isn’t afraid to blow its own trumpet about its successes:
Immobilise can be used by members of the public and businesses to register their valued possessions or company assets, and exclusive to Immobilise all account holders registered items and ownership details are viewable on the Police national property database the NMPR.
This online checking service is used thousands of times each day by UK Police forces to trace owners of lost and stolen property.
As a direct result of Immobilise there are hundreds of cases a week where property is returned or information collected that assists the Police in investigating criminal activity involving stolen goods.
All very good, of course.
But it’s not just police forces who would find a value in all that data, of course. I would be willing to bet that there are plenty of petty thieves who would love to have a list of houses, and the details of the valuables contained within them too. After all, the records kept by Immobilise include names, phone numbers, home addresses, email addresses, serial numbers - as well as the estimated value of some items.
As Paul Moore explains on his blog, accessing a stranger’s Immobilise record on the site is child’s play.
That’s because each record on the site is accessed via a URL which contains two parameters: the user ID and the certificate ID.
So, you simply change 7161519 to 7161520, 716521, 716522… and so on.
If you had the patience (or rather, if you had the patience to get a computer to do it for you) you could download 28 million records that should have been kept properly secured.
“Sure, it’ll take some time and you’re bound to hit a rate limiter along the way, but even if it takes a day/week/month, it’s worth the wait,” wrote Moore.
News of the vulnerability became public yesterday on the BBC News website: ‘Burglar’s shopping list’ security flaw fixed.
But what you won’t necessarily realise when reading that news report is that the only reason the problem got fixed was because Paul Moore told the BBC about it, and the Beeb’s technology team began to sniff around and ask Immobilise some awkward questions.
Immobilise didn’t seem to take the problem anything like as seriously back in 2013, when they were first told about the flaw by Moore.
It reminds me quite a lot of how Dropbox only fixed a serious security hole on its systems which saw tax returns, mortgage applications and private photographs leak out when the BBC contacted them - months after initially being told there was a problem, and doing nothing.
Recipero, operators of Immobilise, issued a statement claiming it had now fixed the website:
Recipero, the provider of the Immobilise.com property register, confirms that a vulnerability in the website process has been identified. The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item.
This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage.
Better late than never I guess, but elementary security holes like this shouldn’t have been present in the first place. How many other systems, I wonder, might have equally valuable data for criminals but are being protected by systems which are useful as a chocolate teapot?
It does rather make a mockery of this claim made on the front page of Immobilise’s website:
Immobilise is accredited with the Secure by Design award; this means its systems and security solutions meet Police-approved standards.
To which I can only respond, “Oh dear. Maybe you need to improve your standards?”
Oh, and by the way, in case you’re wondering how securely does the police handle the data once it reaches systems like the the NMPR (National Mobile Property Register), it’s not all good news.
That site, also run by Recipero, was found by Moore to have its own security issues - such as being vulnerable to the POODLE SSL vulnerability.
Apparently this has now also been fixed, albeit without a public thank you to Paul Moore.
You can learn more about the flaws in the Immobilise website in Paul Moore’s blog post.