back to article Burglars' delight no more: Immobilise UK secures property list

Security flaws that left millions of records on the Immobilise UK National Property Register website wide open to snooping have been identified and removed. Security consultant Paul Moore uncovered flaws that meant it was possible to access other members' records. The Immobilise site allows consumers to add details of …

  1. Anonymous Coward
    Anonymous Coward

    change the web address??

    "The main concern raised by the security flaw was that it may have been possible for miscreants to develop a script to go through the site and harvest property details. Intrusion prevention or other security technologies might have been tripped by such behaviour."

    I really doubt that. If they've not noticed you can change the URL to another users id and see their records , I'm pretty certain they havent implemented a "oh no , all are members have the same IP" alarm.

    You have to at least build a lock before you can lock it!

    This is like assuming your users will only access parts of the network that they have a mapping to.

    1. BristolBachelor Gold badge

      Re: change the web address??

      In addition, the fact that this guy found it, means that he accessed the records of someone else. Yet "Recipero...has no evidence that any of the sensitive information had been siphoned off."

      Gives me the feeling that their "intrusion protection" alarm might be a red light bulb that is not wired-up.

    2. Phil Endecott

      Re: change the web address??

      > Intrusion prevention or other security technologies might have been

      > tripped by such behaviour.

      I read that as, "if they had had intrusion prevention, it might have detected it".

    3. Mark 65

      Re: change the web address??

      I think the intrusion detection part might be related to it being hosted by cloudfront etc that would notice suspicious activity patterns depending on how smart any scraping script was.

      The creators of the site clearly have no smarts whatsoever.

    4. Tom Sparrow

      Re: change the web address??

      The way I read the info (on the original report directly), it's not that it was possible to read another users list of items, you have to know the user ID and item (certificate) ID. The items were sequentially numbered, but you had to know which user has which ID to find it.

      It's still wrong, but not quite as simple as looking up another users entire item list - there's at least 2x10^13 possible combinations judging by the numbers on his report, and only 1/4,000,000 will produce a result.

      I assume he tested by setting up a second account (or just logging out), so didn't access any records he shouldn't have access to. He'd also knew the account ID & record ID he was looking for, so wouldn't trip any alarms scanning through a million incorrect combinations first.

      1. RamblingRant

        Putting it into perspective...

        Hi Tom

        I'm very grateful you've actually thought the risk through and I suspect you already know the following, but let me clarify a couple of points for everyone else.

        In order to locate an item (or all items), you'd need to enumerate every possible combination, like so:

        User 1

        Cert 1, then 2, then 3, then 4 etc... until 28,000,000.

        User 2

        Cert 1, then 2, then 3, then 4 etc... until 28,000,000.

        ... and so on until you reach all 4.2 million members.

        At first glance, that seems infeasible... but it all depends how smart the script is. There's no doubt it'd take many hours and almost certainly trip an IDS warning, but there are far more efficient ways to go about it.

        For example...

        1) We know there are 4.2 million members & 28 million records, meaning an average of 7 items per user.

        2) It's also reasonable to assume many of those items will be added one after another, but we need a fair tolerance to account for edge cases. Instead of blindly searching every cert ID, we can limit the scope to 1000 records before & after the data from the previous attempt.

        3) With each successful "hit", we're able to narrow the search space considerably.

        If user ID 400 and cert ID 10200084 (10 million, 200 thousand and 84) is successful, we'll know to start user ID 401 from cert ID 10200085 and above.

        That way, successful hits happen faster as the time increases, but also limits the amount of requests necessary to pull off the attack, reducing the impact of IDS/IPS constraints.

        There's a wealth of other information an attacker could use to make the attack not only effective, but very efficient.

        Keep a look out for the follow up article on the blog & BBC. This is the tip of the iceberg.


  2. Crisp

    "a thorough review of records revealed no evidence of irregular usage"

    That's only really meaningful if they keep thorough records.

  3. Anonymous Coward
    Anonymous Coward

    The site shouldn't expect you to provide your full address. It can be provided at a later date if needed.

  4. Bogle

    Lacking nous, methinks

    That's basic stuff, right there. I would be extremely wary of ever trusting a mob who fluff it that badly. They quite simply lack the nous to write a halfway decent system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lacking nous, methinks

      Shows how easy it is to obtain taxpayer funds though. I'd imagine if this is the Police goto resource there's been some pork issued.

  5. Anonymous Coward
    Anonymous Coward

    And another thing ...

    On another site (too tired to remember which, sorry) they were pointing out the Ts & Cs, or was it the Privacy Policy, gave the web site operator permission to turn all this information over to all sorts of people. One example was ensuring that Sales Taxes had been paid!

    Obviously modern big government cannot operate unless it has up-to-date information about what you own and from whom you acquired it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like