Feeds

Gaping hole in Google service exposes thousands to ID theft

Vast number of car insurance hunters at risk by flaw

Using blade systems to cut costs and sharpen efficiencies

Exclusive A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft.

The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details - including names, addresses, phone numbers and job - to be harvested at will.

Information about the flaw was passed to The Register last week by a source who wishes to remain anonymous, but who is familiar with motor insurance aggregation systems. The data could be accessed via a simple edit of a motor insurance proposal form. The Register created a fictitious motorist for this purpose, and completed an online proposal form using Google Compare.

Google Compare sends this form to numerous underwriters - there can be at least 100 of these - and then Google offers you details of the companies that wish to offer a quote, together with their prices.

Some of these companies' quotes, however, can be illicitly accessed. After we had made a simple edit to a vulnerable document, we were no longer viewing our own proposal form, but those of unrelated individuals.

When the edited document was passed to the vulnerable system, an entirely different proposal - often from an entirely unrelated underwriter - was displayed. Essentially, once a criminal has a form fielded by the vulnerable system, he could repeatedly edit the form in order to obtain complete details of a new person every time. The process would not be difficult to automate.

Nor does it appear that all of these people applied for insurance via Google Compare, because some of the forms we viewed were apparently quotes from other insurance comparison sites.

The problem was potentially vast. The Register understands that the flaw lies in third-party software external to Google Compare, operated by insurance and financial specialist SSP. But although Google's own in-house systems were not directly compromised, the SSP system effectively allows criminals to operate Google Compare as a massive identity theft portal.

Our source claimed the SSP system is used by about 20 per cent of motor insurance brokers working with Google Compare, but that "quotes from near enough all car insurance comparison sites in the UK go through this system, so you will find all Google Compare's customers in there, and other comparison sites' customers also".

"Your quote from Go Compare..." You were sitting down, weren't you?

The quote above, accessed using the Google Compare flaw, appears to have been offered via Go Compare, not the spookily similarly named Google Compare.

The SSP system appears to act as a host for quote forms from a range of brokers and aggregators. Aside from this system's ability to leak unrelated forms, Google's own security could be viewed as overly lax.

"Some other aggregators do a server-side redirect," says our source. "Other aggregators do not send the real contact details. It's Google that chooses to send to this system."

Screengrab of our crash test dummy's personal details 

Your personal details, leaked by the vulnerable web system, and another quote inappropriately accessed

After verifying the existence of the flaw, The Register notified the Information Commissioner's Office (ICO) and Google, informing the latter of our intention to publish this story.

Within hours of being notified, a Google spokesman told us it had suspended insurers using SSP software from its comparison site - meaning the flaw can no longer be exploited via Google Compare.

Google also sent us a statement:

As soon as we became aware of this problem, which occurs on certain broker websites that use SSP software, we suspended those brokers. We have raised this issue with SSP and have asked them to address it immediately.

The ICO responded that it will begin enquiries before deciding what action, if any, was required.

We asked Google if it will report itself to the ICO. The company responded that it was SSP and the insurance brokers who had suffered a data breach, not Google. The search giant argued that the same problem exists with all aggregator sites, and said "we didn't hold contracts with SSP - SSP holds contracts with those brokers" and "we're not responsible for content".

Which is a similar argument to the one Google uses regarding other media it links to. Essentially, the company believes it has no legal responsibility for what happens to the user after they've clicked on a link. And yet Google Compare undoubtedly collected personal data at the form-filling stage and passed it on to a third party whose software appears to be insecure. According to Google, that's not its fault.

The Register contacted SSP, and will update our readers when we have received a response.

Although Google insists this isn't its problem, and the same bug exists in other motor insurance aggregators, The Register has been unable to verify this. A check of Go Compare, for example, confirmed that the site does link to brokers using SSP software, but it does not seem to be possible to manipulate the quote proposal document in the same way that was, until yesterday, possible with Google Compare.

The Register's source said it is likely some aggregators are indeed vulnerable to the flaw, but that others were already aware of it and had taken steps to stop it being exploited via their websites.

It seems there are two important aspects to the security bug: First, the way SSP's software handles document storage and retrieval, and second, the security of the identification process. The flaw in the latter lay somewhere on the road from Google to SSP to broker - but that's one for the ICO to figure out. ®

Bootnote

Many years ago, your writer worked for Insurance Age, The Review, Worldwide Reinsurance and Marine Insurance Bulletin. In those days they didn't have computers … as such. El Reg has intentionally withheld precise details of the flaw at this stage in the interests of responsible disclosure.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.