EOL IT Services has now merged with tier1 Asset Management Ltd

Property Records of Over 4 Million UK Business & Consumers Exposed

by | Jan 20, 2015 | IT Security

Immobilise, the online property record, was recently plagued by a security flaw in its system. This crucial flaw could have put the 4.2 million users of Immobiliser at risk of falling victim to potential burglars.

Immobilise is the world’s largest free register of ownership details, which is, in theory, a brilliant method of keeping record of valuable possessions and purchase details in case of theft. More than 28 million different items are registered on the system, ranging from bikes to computers to phones and jewellery.

Along with its partner websites, the Police’s National Mobile Property Registers (NMPR) and CheckMEND, Immobilise can help to track the owner of an item when the property is lost or stolen.

However, if they get into the wrong hands, these lists of valuables can serve as a shopping list for criminals.

According to UK-based IT security consultant, Paul Moore, the risk of criminals obtaining these lists was a result of a direct object reference vulnerability. This is a type of bug that revealed confidential customer details in these lists, such as their names, addresses, telephone numbers and email addresses. It even revealed important information about the valuable items that are registered on the system, including IMEIs, serial numbers, unique features and specific values. These pieces of information would be highly valuable for anyone intending to act maliciously.

Moore discovered this flaw when analysing the URL that regular users of Immobilise are presented with when they download an ownership certificate for the PDF version of the system. This URL contains two parameters that are representative of the user ID and the certificate ID. Using just these two parameters, an attacker could easily access any of the accounts and all of the records registered on Immobilise simply by trying out different combinations.

As a user you’re given a link which looks something like this.


This easy access is a simple result of the sequential order in which these parameters are presented.

According to an explanation on Moore’s website: “An attacker wouldn’t know the “User ID” or “Certificate ID”, so it’s safe, right?

Far from it! The numbers aren’t random, they’re sequential, thus deterministic. If the last certificate number is 7161519, the next is 7161520 and so on. However, if someone happens to add another item to their account before you, your next number is 7161521.

By simply looping through every combination, it’s possible to collect all 28+ million entries.

The IT security consultant was keen on emphasising the fact that he hadn’t attempted to harvest any private information, and that if you do try to “it’ll take some time and you’re bound to hit a rate limiter along the way.”.

He suggests that this rate limiter is a result of Immobilise’s use of CloudFlare services, which is a system that can introduce limits if it recognises any unusual activity.


Recent Stories

What Do Refurbished Technology Grades Mean?

What Do Refurbished Technology Grades Mean?

As enterprises strive to balance their sustainability targets and a limited financial budget with the technology requirements of the business, an increasing number of CIOs are taking a circular approach to IT procurement. Our ‘take, make, dispose’ culture has had a...

7 Questions to Ask Your ITAD Supplier.

7 Questions to Ask Your ITAD Supplier.

The growth of the cloud, the emergence of hybrid working and remote collaboration along with the soaring quantities of data-rich Internet of Things devices means that IT asset disposition no longer solely concerns the disposal of end of life IT assets. Today’s ITAD...

Are Unintentional Cyber-attackers Risking your Data Security?

Are Unintentional Cyber-attackers Risking your Data Security?

As we learnt during the last couple of years, for the cyber-criminals, a crisis merely presents an opportunity. In 2020, malware attacks rose by 358% and in the first quarter of 2022, Russia experienced nearly 3.6 million data breaches, an 11% increase*. Cyber-attacks...