A Truly Embarrassing IT Security Vulnerability

Scott Calonico

Few IT vendors achieve complete security perfection, and you’d seriously struggle to find a big industry name who hasn’t at some point suffered some reputational damage as the result of a security flaw.

However, when your product’s sole purpose is to protect the security of an individual’s household possessions, and a flaw is uncovered that’s easily exploited and turns the product into what the media describe as a “burglar’s shopping list” – well, that’s really embarrassing.

The product in question is a UK-based Web application called “Immobilise,” which allows individuals to log details of their valuable personal possessions. The online service had been recommended to citizens by a host of UK regional police forces.

A Fundamental Flaw

Despite Immobilise having been assured as “fit for purpose” by independent auditors, according to a BBC report, the security flaw that was discovered was really basic, and potentially easy to exploit with no real specialist knowledge.

Essentially, all anyone needed to do was change some numbers in the website URL displayed when viewing a record, and they could instantly view other user’s records with no need for any passwords or user credentials.

What made the vulnerability so embarrassing is the actual purpose of the Immobilise site. Police forces encourage people to log details of their valuable items, so that the authorities can track down stolen goods more easily.

However, flipped around the other way, the site had the potential to become the aforementioned “burglar’s shopping list.” All a criminal needed to do was change the website URL, and be led directly to a list of valuable items in a potential victims house. All the details were there, right down to item values and serial numbers.

Resolution

We should, at this point, make clear that the bug has now been fixed, and that the software vendor, Recipero, have (perhaps unsurprisingly) stated that they have seen “no evidence of irregular usage.”

The IT security consultant who found the vulnerability also agreed that it was “very unlikely” burglars had attacked any households due to information found using the unpatched website.

Clearly this story is ironic to the point of amusing, when you have a site designed to help protect possessions running insecurely to the point of potentially advertising them to criminals. However, it does go to show just how important it is to fully test public-facing websites before deployment.

This story didn’t receive a huge amount of coverage outside of the UK or the IT security press, and Recipero’s reputation will no doubt recover in time. But one can be sure that somebody, somewhere has received, at best, a particularly stern “telling off!”