28 Million Records Aboard Immobilise Website Exposed Due To Privacy FlawImmobiliseVulneribility
Immobilise
Immobilise is the world’s largest free register of possession ownership details with roughly 4.2 million registered users. It is used by users to register their valuables like bikes, computers, phones etc. and is said to host registered records of 28 million items. Immobilise and its partner websites, the Police’s National Mobile Property Register (NMPR) and CheckMEND have proved to be very helpful in tracing lost or stolen valuables in United Kingdom. Most of its services are used by Insurance companies and police authorities.
Vulneribility
According to Paul Moore the Immobilise website was affected with Direct Object Reference (DOR) vulnerability. The bug exposed names, addresses, phone numbers, email addresses and details on registered items (serial numbers, IMEIs in case of smartphones, unique marks, value) to cyber criminals. The vulnerability stems from the URL presented to users who which to register their products on Immobilise. To ascertain the ownership they are supposed to download an ownership certificate from Immobilise in PDF format. The download url contains two parameters which contain user ID and certificate ID and both are sequential so a malafide actor can easily access all accounts and all records on the Immobilise server.
Further investigation into Immobilise website revealed that the DOR is actually used by the police and insurance companies to verify the authenticity of an ownership certificate based on its ID. Moore informed Recipero, the company that develops Immobilise, CheckMEND and NMPR websites and the issue has been fixed as of now. Moore also discovered that the CheckMEND and NMPR websites were vulnerable to SSL 3.0 POODLE attacks and the company has patched these vulnerabilities also.