Immobilise, the online property record, was recently plagued by a security flaw in its system. This crucial flaw could have put the 4.2 million users of Immobiliser at risk of falling victim to potential burglars.
Immobilise is the world’s largest free register of ownership details, which is, in theory, a brilliant method of keeping record of valuable possessions and purchase details in case of theft. More than 28 million different items are registered on the system, ranging from bikes to computers to phones and jewellery.
Along with its partner websites, the Police’s National Mobile Property Registers (NMPR) and CheckMEND, Immobilise can help to track the owner of an item when the property is lost or stolen.
However, if they get into the wrong hands, these lists of valuables can serve as a shopping list for criminals.
According to UK-based IT security consultant, Paul Moore, the risk of criminals obtaining these lists was a result of a direct object reference vulnerability. This is a type of bug that revealed confidential customer details in these lists, such as their names, addresses, telephone numbers and email addresses. It even revealed important information about the valuable items that are registered on the system, including IMEIs, serial numbers, unique features and specific values. These pieces of information would be highly valuable for anyone intending to act maliciously.
Moore discovered this flaw when analysing the URL that regular users of Immobilise are presented with when they download an ownership certificate for the PDF version of the system. This URL contains two parameters that are representative of the user ID and the certificate ID. Using just these two parameters, an attacker could easily access any of the accounts and all of the records registered on Immobilise simply by trying out different combinations.
As a user you’re given a link which looks something like this.
This easy access is a simple result of the sequential order in which these parameters are presented.
According to an explanation on Moore’s website: “An attacker wouldn’t know the “User ID” or “Certificate ID”, so it’s safe, right?
Far from it! The numbers aren’t random, they’re sequential, thus deterministic. If the last certificate number is 7161519, the next is 7161520 and so on. However, if someone happens to add another item to their account before you, your next number is 7161521.
By simply looping through every combination, it’s possible to collect all 28+ million entries.”
The IT security consultant was keen on emphasising the fact that he hadn’t attempted to harvest any private information, and that if you do try to “it’ll take some time and you’re bound to hit a rate limiter along the way.”.
He suggests that this rate limiter is a result of Immobilise’s use of CloudFlare services, which is a system that can introduce limits if it recognises any unusual activity.