back to article Gaping hole in Google service exposes thousands to ID theft

A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft. The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details - including names, addresses, phone numbers and …

COMMENTS

This topic is closed for new posts.
  1. Rob

    Blimey...

    ... your premium was about 4k, what car were you insuring and did you have previous convictions for hit and run whilst drunk, driving with your knees, keeping your hands free to smoke crack.

    1. Lee Dowling Silver badge

      Re: Blimey...

      £4k isn't a lot.

      I've been quoted nearly £2.5k in the past (obviously didn't touch it with a bargepole) to insure a £300 Mondeo with 3 years NCB third-party only, for a 30-something with kid, clean license, 20k miles.

      Remember, it's a quote. That means they tell you what they want you to pay and then you decide whether to pay or not. In this case, not, but I'm sure there are people out there being quoted at least £4k quite regularly and even some people PAYING that.

      God knows what it costs to insure one of those Porsche 4x4 monstrosities for a mother with a few fender-benders to her name, but I bet it's more than £4k.

      1. Rob

        Re: Blimey...

        ... and again Blimey!

        I get cheesed off when I get a quote back for more than £300 fully comp.

    2. Anonymous Coward
      Anonymous Coward

      Re: Blimey...

      My insurence is 1.7k after getting it down from 4.5 by fiddling around with my address. (It's not registered at my grandmothers house)

      I've not had an accident and doing a quote on here it's gone back up to 4k...

      1. rman007

        Re: Blimey...

        Blimeyyy..

        I pay £800 at 23 years old insured on a 3.0 litre BMW with only 1 year no claims.

    3. jrd

      Re: Blimey...

      Jeremy Clarkson was apparently quoted over £20,000 to insure a Ford Escort (a fast one), and that was over 20 years ago. Expensive car insurance isn't only a modern phenomenon!

      (And I think that was before he was famous, so I don't think they pushed the quote up because it was him...)

      1. TeeCee Gold badge
        Happy

        Re: Blimey...

        That's why Ford phased out the Cosworth.

        It was well known that for many, the annual insurance premium exceeded the cost of the car.

        A collegue told me of a wealthy friend with more money than sense, who bought one as a 21st birthday present for his son. Purchase price was twenty-something grand, cost of insuring it for said son was twenty-something-rather-larger grand. It sat on the drive while this conundrum was pondered.

        During said pondering and while it was sat, uninsured, on said drive it was stolen, thus neatly illustrating one of the reasons why the insurance on them was so pricey.

    4. Anonymous Coward
      Thumb Up

      Re: Blimey...

      "Occupation: Journalist"

      Cha-ching!

    5. phuzz Silver badge
      Facepalm

      Re: Blimey...

      Location has a lot to do with it. My insurance on a1.4l Peugeot 206 is over £400, even with seven years no claims, presumably because I'm parking it on the street in the middle of Bristol.

      To be fair, it has been broken into several times (I never claimed, they only nicked the stereo), so perhaps they have their reasons.

  2. Anonymous Coward
    Anonymous Coward

    Nice and you would hope Google were better than this.

  3. Bronek Kozicki

    nice job, El Reg

    One thing missing. I understand the number of people whose details might have been stolen is very high. Google should now go through the logs to discover actual people whose details have been stolen. Yes it will likely cost significant time and resources but it is exactly what ICO needs to know , as well as people affected.

    Google does not seem to care about responsibility coming with collection of personal data - it is ICO role to teach them. If they do not store the logs to fulfill its resposibillity in data protection, the service simply should not have been offered.

    1. Anonymous Coward
      Anonymous Coward

      Re: nice job, El Reg

      Google does not seem to care about responsibility coming with collection of personal data

      It never has - that has been the problem from day 1. But try telling that to the believers of "do no harm" ..

      1. Bronek Kozicki

        Re: nice job, El Reg

        yes, the question is: will ICO do something about it? I hope the mandate they have is clear, but are they determined enough to enforce it?

        1. Anonymous Coward
          Anonymous Coward

          Re: nice job, El Reg

          Yes, they will immediately write them a stern letter telling them they must do better.

  4. Anonymous Coward
    Anonymous Coward

    Google makes shit products Shocker

    Fixed that headline for you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google makes shit products Shocker

      Did you stop reading before the bit about the flaw being with the third party software provider SSP?

      1. David 164

        Re: Google makes shit products Shocker

        Of he didn't, but then that what the headline was design to do. If it was a honest headline, it would have been more Gaping hole found in SSP software use by Google Compare, Go compare and many others ;

        But then that not an attention grabbing, Google hating crowd pleaser is it, to be fair a even better more accurate description be "Gaping hole found in SSP software us by price comparison websites" but that even less attention grabbing than the first one I wrote.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google makes shit products Shocker

          Probing new depths here. Not just incapability of using the past tense.

          * THAT'S

          * DESIGNED

          * AN honest headline

          * USED BY

          * AN even better...

          "wrote" is a bit of a strong word to describe what you have done there.

          How do you possibly manage the advanced techniques involved in switching on a computer?

  5. Anonymous Coward
    Anonymous Coward

    What a shame Tavis Ormandy didn't spend some more time looking into vulnerabilities in his own company's products.

    Well done to The Register for their seemingly responsible disclosure.

  6. tony2heads

    Bounty?

    Doesn't Google give bounty for people finding holes in their systems?

    Anyone at El Reg looking into that

    -no bounty hunter logo?

    1. David 164

      Re: Bounty?

      I suspect Go Compare offered the anonymous source who discover the hack enough money to keep it quiet and keep it hidden from Google, why Go compare they get a chance to fix their systems before the hacker or someone else go public with story via the Register. That way Google compare and Google as a whole comes away with its reputation damage, Go Compare comes away smelling of roses.

      Perhaps Register could confirm whether this anonymous source has any prior dealings with Go Compare and or other price comparison sites and SSP and confirm whether or not he sold the flaw to them and for how much. If this information is not forth coming then do some investigating and find out why it is not forth coming.

      1. This post has been deleted by its author

      2. John Lettice (Written by Reg staff)

        Re: Bounty?

        Seems to me if you're running a system you have some responsibility to audit what happens to the data entered into it, including after it's left your system. If Go Compare wasn't vulnerable to this flaw, then just maybe it was because Go Compare's techies were doing their job, right?

      3. Anonymous Coward
        Anonymous Coward

        @ David 164

        You sir are a complete and utter retard. I must insist that you throw away your keyboard so it does not have to suffer any longer. It is not fair to subject it to this kind of abuse, it wouldn't be so bad if you could actually write a single coherent English sentence.

        I suspect that you are not actually severely mentally disabled but in fact just deliberately and wantonly ignorant which is in fact worse.

        1. David 164

          Re: @ David 164

          At least, I am not a anonymous coward.

          1. Anonymous Coward
            Anonymous Coward

            Re: @ David 164

            Which surprises me... If my writing was that bad I wouldn't want even a pseudonym associated with it!

    2. John Lettice (Written by Reg staff)

      Re: Bounty?

      As Google is insisting that the hole is in somebody else's system, I do believe I'd have to go legal in order to get any money out of them.

  7. Anonymous Coward
    Anonymous Coward

    It's never Google's fault

    Don't we know the party line already? It's always a "contractor", "rogue engineer", "consultant in India"...

    Google is nothing but fucking perfect and makes no shit whatsoever. Actually, it does make shit but it's delicious, low in fat and you only need to watch Grannydating ads to have it.

    1. This post has been deleted by its author

    2. asdf
      FAIL

      Re: It's never Google's fault

      Its only Thursday but we already have a sure fire winner for shit post of the week. Congratulations.

  8. James 100

    Not just insurance

    My employer offered a local discount card through their online store system, and I bought one. The final stage said "you have now been logged out; to view your receipt, go to http://store.example.ac.uk/receipt?id=123". Wait ... if I was logged out, how could that URL authenticate me?

    Sure enough, changing the 123 yielded the details of other customers: what they bought, how they paid, delivery address etc. Whoops. I contacted the internal person in charge, who said "oops ... that's hosted by an outside contractor, we will go and shout at them now". To be fair, they did get it fixed when I pointed it out, but it's alarming a fault that obvious existed in the first place!

This topic is closed for new posts.

Other stories you might like