28 Million Records Aboard Immobilise Website Exposed Due To Privacy Flaw
United Kingdom is in news again today. After Moonpig vulnerability which exposes 3 million user details, United Kingdom’s premier National Property Register website called Immobilise was vulnerable to a privacy flaw that could have exposed its user details to cyber criminals. The flaw which was revealed by IT security consultant Paul Moore may have put Immobilise’s 28 million registered records cyber criminals.
Immobilise is the world’s largest free register of possession ownership details with roughly 4.2 million registered users. It is used by users to register their valuables like bikes, computers, phones etc. and is said to host registered records of 28 million items. Immobilise and its partner websites, the Police’s National Mobile Property Register (NMPR) and CheckMEND have proved to be very helpful in tracing lost or stolen valuables in United Kingdom. Most of its services are used by Insurance companies and police authorities.
According to Paul Moore the Immobilise website was affected with Direct Object Reference (DOR) vulnerability. The bug exposed names, addresses, phone numbers, email addresses and details on registered items (serial numbers, IMEIs in case of smartphones, unique marks, value) to cyber criminals.
The vulnerability stems from the URL presented to users who which to register their products on Immobilise. To ascertain the ownership they are supposed to download an ownership certificate from Immobilise in PDF format. The download url contains two parameters which contain user ID and certificate ID and both are sequential so a malafide actor can easily access all accounts and all records on the Immobilise server.
“An attacker wouldn’t know the “User ID” or “Certificate ID”, so it’s safe, right?” Moore added on his blog post, “Far from it! The numbers aren’t random, they’re sequential, thus deterministic. If the last certificate number is 7161519, the next is 7161520 and so on. However, if someone happens to add another item to their account before you, your next number is 7161521.”
Further investigation into Immobilise website revealed that the DOR is actually used by the police and insurance companies to verify the authenticity of an ownership certificate based on its ID. Moore informed Recipero, the company that develops Immobilise, CheckMEND and NMPR websites and the issue has been fixed as of now.