Feeds

Gaping hole in Google service exposes thousands to ID theft

Vast number of car insurance hunters at risk by flaw

Website security in corporate America

Exclusive A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft.

The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details - including names, addresses, phone numbers and job - to be harvested at will.

Information about the flaw was passed to The Register last week by a source who wishes to remain anonymous, but who is familiar with motor insurance aggregation systems. The data could be accessed via a simple edit of a motor insurance proposal form. The Register created a fictitious motorist for this purpose, and completed an online proposal form using Google Compare.

Google Compare sends this form to numerous underwriters - there can be at least 100 of these - and then Google offers you details of the companies that wish to offer a quote, together with their prices.

Some of these companies' quotes, however, can be illicitly accessed. After we had made a simple edit to a vulnerable document, we were no longer viewing our own proposal form, but those of unrelated individuals.

When the edited document was passed to the vulnerable system, an entirely different proposal - often from an entirely unrelated underwriter - was displayed. Essentially, once a criminal has a form fielded by the vulnerable system, he could repeatedly edit the form in order to obtain complete details of a new person every time. The process would not be difficult to automate.

Nor does it appear that all of these people applied for insurance via Google Compare, because some of the forms we viewed were apparently quotes from other insurance comparison sites.

The problem was potentially vast. The Register understands that the flaw lies in third-party software external to Google Compare, operated by insurance and financial specialist SSP. But although Google's own in-house systems were not directly compromised, the SSP system effectively allows criminals to operate Google Compare as a massive identity theft portal.

Our source claimed the SSP system is used by about 20 per cent of motor insurance brokers working with Google Compare, but that "quotes from near enough all car insurance comparison sites in the UK go through this system, so you will find all Google Compare's customers in there, and other comparison sites' customers also".

"Your quote from Go Compare..." You were sitting down, weren't you?

The quote above, accessed using the Google Compare flaw, appears to have been offered via Go Compare, not the spookily similarly named Google Compare.

The SSP system appears to act as a host for quote forms from a range of brokers and aggregators. Aside from this system's ability to leak unrelated forms, Google's own security could be viewed as overly lax.

"Some other aggregators do a server-side redirect," says our source. "Other aggregators do not send the real contact details. It's Google that chooses to send to this system."

Screengrab of our crash test dummy's personal details 

Your personal details, leaked by the vulnerable web system, and another quote inappropriately accessed

After verifying the existence of the flaw, The Register notified the Information Commissioner's Office (ICO) and Google, informing the latter of our intention to publish this story.

Within hours of being notified, a Google spokesman told us it had suspended insurers using SSP software from its comparison site - meaning the flaw can no longer be exploited via Google Compare.

Google also sent us a statement:

As soon as we became aware of this problem, which occurs on certain broker websites that use SSP software, we suspended those brokers. We have raised this issue with SSP and have asked them to address it immediately.

The ICO responded that it will begin enquiries before deciding what action, if any, was required.

We asked Google if it will report itself to the ICO. The company responded that it was SSP and the insurance brokers who had suffered a data breach, not Google. The search giant argued that the same problem exists with all aggregator sites, and said "we didn't hold contracts with SSP - SSP holds contracts with those brokers" and "we're not responsible for content".

Which is a similar argument to the one Google uses regarding other media it links to. Essentially, the company believes it has no legal responsibility for what happens to the user after they've clicked on a link. And yet Google Compare undoubtedly collected personal data at the form-filling stage and passed it on to a third party whose software appears to be insecure. According to Google, that's not its fault.

The Register contacted SSP, and will update our readers when we have received a response.

Although Google insists this isn't its problem, and the same bug exists in other motor insurance aggregators, The Register has been unable to verify this. A check of Go Compare, for example, confirmed that the site does link to brokers using SSP software, but it does not seem to be possible to manipulate the quote proposal document in the same way that was, until yesterday, possible with Google Compare.

The Register's source said it is likely some aggregators are indeed vulnerable to the flaw, but that others were already aware of it and had taken steps to stop it being exploited via their websites.

It seems there are two important aspects to the security bug: First, the way SSP's software handles document storage and retrieval, and second, the security of the identification process. The flaw in the latter lay somewhere on the road from Google to SSP to broker - but that's one for the ICO to figure out. ®

Bootnote

Many years ago, your writer worked for Insurance Age, The Review, Worldwide Reinsurance and Marine Insurance Bulletin. In those days they didn't have computers … as such. El Reg has intentionally withheld precise details of the flaw at this stage in the interests of responsible disclosure.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.