Reply to post: Re: change the web address??

Burglars' delight no more: Immobilise UK secures property list

Tom Sparrow

Re: change the web address??

The way I read the info (on the original report directly), it's not that it was possible to read another users list of items, you have to know the user ID and item (certificate) ID. The items were sequentially numbered, but you had to know which user has which ID to find it.

It's still wrong, but not quite as simple as looking up another users entire item list - there's at least 2x10^13 possible combinations judging by the numbers on his report, and only 1/4,000,000 will produce a result.

I assume he tested by setting up a second account (or just logging out), so didn't access any records he shouldn't have access to. He'd also knew the account ID & record ID he was looking for, so wouldn't trip any alarms scanning through a million incorrect combinations first.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021