EOL IT Services has now merged with tier1 Asset Management Ltd

Property Records of Over 4 Million UK Business & Consumers Exposed

by | Jan 20, 2015 | IT Security

Immobilise, the online property record, was recently plagued by a security flaw in its system. This crucial flaw could have put the 4.2 million users of Immobiliser at risk of falling victim to potential burglars.

Immobilise is the world’s largest free register of ownership details, which is, in theory, a brilliant method of keeping record of valuable possessions and purchase details in case of theft. More than 28 million different items are registered on the system, ranging from bikes to computers to phones and jewellery.

Along with its partner websites, the Police’s National Mobile Property Registers (NMPR) and CheckMEND, Immobilise can help to track the owner of an item when the property is lost or stolen.

However, if they get into the wrong hands, these lists of valuables can serve as a shopping list for criminals.

According to UK-based IT security consultant, Paul Moore, the risk of criminals obtaining these lists was a result of a direct object reference vulnerability. This is a type of bug that revealed confidential customer details in these lists, such as their names, addresses, telephone numbers and email addresses. It even revealed important information about the valuable items that are registered on the system, including IMEIs, serial numbers, unique features and specific values. These pieces of information would be highly valuable for anyone intending to act maliciously.

Moore discovered this flaw when analysing the URL that regular users of Immobilise are presented with when they download an ownership certificate for the PDF version of the system. This URL contains two parameters that are representative of the user ID and the certificate ID. Using just these two parameters, an attacker could easily access any of the accounts and all of the records registered on Immobilise simply by trying out different combinations.

As a user you’re given a link which looks something like this.


This easy access is a simple result of the sequential order in which these parameters are presented.

According to an explanation on Moore’s website: “An attacker wouldn’t know the “User ID” or “Certificate ID”, so it’s safe, right?

Far from it! The numbers aren’t random, they’re sequential, thus deterministic. If the last certificate number is 7161519, the next is 7161520 and so on. However, if someone happens to add another item to their account before you, your next number is 7161521.

By simply looping through every combination, it’s possible to collect all 28+ million entries.

The IT security consultant was keen on emphasising the fact that he hadn’t attempted to harvest any private information, and that if you do try to “it’ll take some time and you’re bound to hit a rate limiter along the way.”.

He suggests that this rate limiter is a result of Immobilise’s use of CloudFlare services, which is a system that can introduce limits if it recognises any unusual activity.


Recent Stories

Does AI Fight or Facilitate Cybercrime?

Does AI Fight or Facilitate Cybercrime?

Despite the splash made by ChatGPT at the end of 2022, Artificial Intelligence and Machine Learning have been part of our daily lives for some time. We use smart home devices, chatbots, voice assistants, and Netflix recommendations with little thought as to what’s...

These 5 Sustainable IT benefits will boost your business.

These 5 Sustainable IT benefits will boost your business.

The urgent need to minimise the impact our technology has on our environment stretches far beyond the moral obligation. With the future development of our organisations in mind, if we are to continue to rely heavily on the networked technologies that simplify our...

Are Hardware Vulnerabilities Your Cybersecurity Blind Spot?

Are Hardware Vulnerabilities Your Cybersecurity Blind Spot?

As cybercriminals commonly target software vulnerabilities, the assumption is easily made that cybersecurity threats come in the form of phishing, malware or ransomware. Consequently, corporate cybersecurity strategies can neglect the very foundation of the network,...