A website listing the valuables of millions of Britons was nearly transformed into a “burglar’s shopping list” due to a critical vulnerability in its software, the BBC reports
Immobilise is a UK website which acts as a free register for individuals’ and businesses’ valuables. It has more than 4 million registered accounts, listing more than 28 million valuables, ranging from computer hardware to bikes to jewellery. It’s supported by the British police as it helps combat theft by providing a nationwide database of goods with serial numbers that can be cross-referenced against for “recovered goods or suspected stolen property,” its website states.
But a vulnerability discovered by security researcher Paul Moore and publicised this week meant hackers were theoretically able to access the entire database of 28 million valuable items, in addition to the addresses they’re registered to. It’s “quite a nice shopping list for a would-be burglar,” Moore writes.
“They will know your name, home address, telephone number(s), email address, the make/model of your item, any identifying factors (serial numbers, IMEIs, unique marks etc), and even how much it’s worth,” the researcher continues. “Sure it will take some time and you’re bound to hit a rate limiter along the way, but even if it takes a day/week/month, it’s worth the wait.”
Each record had a ID number. The way the vulnerability worked was by changing the ID number so that users could gain unauthorised access to any record with no password required. As Security Week notes, this design was actually “a feature that allowed police and insurance companies to verify the authenticity of an ownership certificate based on its ID.” In short, the site was “insecure by design.”
The initial issue was identified more than a year ago and reported to Recipero, the company responsible for Immobilise. While Recipero did take action, a vulnerability allegedly still remained for more than a year — and was patched only after Moore told Recipero his intention to publish.
Recipero has maintained that no data was ultimately compromised by the vulnerability. There’s “no evidence of any data leakage,” a statement says. The company has also apologised to its customers, but not for the fault in its software. Instead, Recipero says it “apologises for any alarm that the BBC report on 6th January concerning Immobilise.com may have caused you.”
On Twitter, BBC reporter Dave Lee says that Recipero warned him there were “inaccuracies” in Moore’s report, but that they wouldn’t reveal them unless the BBC “help the article… or alternatively sent them the piece ahead of publication.” The BBC chose not to do so, and Recipero has subsequently failed to respond to their enquiries as to the nature of the inaccuracies.
Business Insider Emails & Alerts
Site highlights each day to your inbox.