Feeds

Companies House website security 'a bit of a mess'

Nerve centre of British business open to scams

5 things you didn’t know about cloud backup

Serious security holes in the website of Companies House - the UK database of corporate information - have exposed sensitive data and create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws identified by researcher Paul Moore are either in the process of being fixed or not worthy of serious concern. A spokesman initially told El Reg that issues first highlighted in a blog post last month by Moore were "nothing we weren't aware of already". He added that most of the information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged security problems but he said that three were particularly pressing. Firstly comes the ability to login as any company (WebCheck/WebFiling) without a username/password. Moore is also highly critical of the "poor SSL implementation" on the site. Lastly he charged Companies House with failing to put the site through adequate penetration testing, a security evaluation procedure commonly used across the industry as a means to pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more than a month ago. He updated his warnings on with a video highlighting the alleged vulnerabilities to the site, and the potential impact of these disputed security flaws.

These flaws open the door to corporate identity theft, he warns. Companies House strongly disputes but an independent security expert asked by El Reg to review arguments on both sides said there are reasonable grounds for concern.

"Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess," Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

"The techniques outlined by [Moore] are certainly not things I expect the average internet user to understand, but they are also not in the category of rocket science. These flaws are not likely to be unknown and anyone with basic penetration testing skills could easily uncover them. We should expect and demand better of our government and those we entrust with our reputations."

Wisniewski, who added the caveat that he hadn't created the accounts necessary to personally verify Moore's claims, concluded that although "by no means are these issues catastrophic", but nonetheless "they should be resolved".

"It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies," he added.

Corporate ID theft is an infrequent though not unprecedented scam. Several years ago, for example, UK firms were urged to be on their guard against a then-emerging scam which specifically targeted the Companies House database. The scam was based on changing the registered office of a limited company before ordering goods and services and disappearing before any invoice came up for payment leaving the hijacked firm holding the can.

Fraud detection firm Early Warning told us at the time that three companies (a Kent property company, an antique dealer and flooring company, both in London) had fallen victim to the scam.

Fraudsters used the same scam to hijack the identity of a firm owned by billionaire businessman Philip Green in September 2005.

This was seven years ago and doubtless procedures have been applied to block that particular ruse, as evidenced by the lack of other corporate victims since. However the reappearance of similar scams using different techniques calls for constant vigilance.

Pass-time

Moore began investigating problems on the Companies House site after requesting a password reset and receiving a plain text password reminder by return of email. It's well known in the security industry that this is slipshod practice and recent problems involving retail giant Tesco brought the issue to wider attention. Some pointers on best practice for password resets can be found here.

After receiving an inadequate response to this issue, Moore dived deeper, discovering a myriad of problems in the process.

That was in early October and although over the subsequent weeks Companies House managed to fix XSS (Cross Site Scripting) and XSRF/CSRF (Cross Site Request Forgery) its fix for the password reset issue was itself problematic, according to Moore.

“Companies House no longer send password reminders; instead opting for a more secure technique whereby passwords can be reset using a token sent to the user’s email address," Moore explained. "In this context, the token should be considered a temporary replacement password, as anyone in possession of it can gain access to the account."

"As such, it should also be securely hashed (or encrypted at least) to prevent unauthorised use. In order to maintain security, the token should expire immediately after use and within an appropriate time frame (90 minutes in this instance), again to prevent unauthorised use."

Moore said that the first attempt to remedy the situation only made matters worse.

"Previously, if your email/backups were intercepted, your password would be visible in plain text," he explained. "That’s clearly a serious risk, but one which can be mitigated by changing your password and securing your inbox. Assuming the hacker hasn’t tampered with the account profile (email address for example) the security of the account should now be restored."

"Following the changes however, the user’s information/company is still at risk even after the password has been changed and the inbox has been secured. The token doesn’t actually expire, despite the system telling you it had," he added.

Moore also argues that SSL setup of the Companies House (CH) website is flawed. He said that although most of the information in WebCheck is publicly available (apart from the personal details used to register) the WebFiling system that allows companies to file returns, accounts, add directors/shares etc) is also vulnerable.

"I don't think it's sunk in yet," he said.

Checks on the secure Companies House WebFiling page using GlobalSign's SSL Configuration Checker, developed using the assessment technology of Qualys SSL Labs, grade the website at a "C". This is a passing grade but one which shows scope for improvement, as illustrated by the results of the publicly available test.

Moore has engaged in extended dialogue with developers and others at Companies House in an attempt to get the alleged vulnerabilities fixed. Although a professional security consultant he said that he acted only as a concerned citizen and business owner and was not seeking to get work from Companies House.

"I’m releasing this information purely to protect businesses and raise awareness, not for financial gain," Moore told El Reg

Taken together the alleged failings suggest shortcomings in the web development and testing process at the government agency.

Days after Moore published his video, in response to a request for comment by The Register, a Companies House spokesman supplied us with an updated statement.

I would reiterate that nothing that was raised by Mr Moore was not already known to us and, where necessary, actions were in train to address matters. Indeed a number of issues have been definitively addressed since we last corresponded. A number of assumptions were made without knowledge of our infrastructure or additional security controls.

We would not wish to discuss these in any public forum for obvious reasons but it remains the case, as we have stated on a number of occasions, that we do take security seriously and any issues raised by customers or other sources are examined and necessary mitigation put in place. This is not just a trite phrase but a matter all public agencies take seriously.

Companies House provides services that allow limited companies in the UK to be either incorporated or dissolved. It also stores company information delivered under the Companies Act and related legislation, such as accounts, and makes this information available to the public. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.