Burglars' delight no more: Immobilise UK secures property list

Security flaws that left millions of records on the Immobilise UK National Property Register website wide open to snooping have been identified and removed.

Security consultant Paul Moore uncovered flaws that meant it was possible to access other members' records.

The Immobilise site allows consumers to add details of valuables in their homes to the National Property Register.

In the wrong hands, the flaw created a means for burglars or like-minded ne'er-do-wells to compile lists of potential theft targets. The records included names, phone numbers and addresses while some included a list of valuables and their estimated value.

Information stored on the database is used to reunite stolen goods once seized with their genuine owners. The service is used by the UK police and endorsed by the policing association ACPO.

Moore discovered that if ID numbers in a web address associated with records stored on the site were changed, different records would be displayed. The lack of compartmentalisation meant no passwords were requested to access the "/verify" & pdf generation pages.

Moore refers to the direct object reference flaw as creating an "open DOR".

The main concern raised by the security flaw was that it may have been possible for miscreants to develop a script to go through the site and harvest property details. Intrusion prevention or other security technologies might have been tripped by such behaviour.

Recipero, which runs Immobilise, issued a statement saying it had fixed the website, adding that it has no evidence that any of the sensitive information had been siphoned off.

Recipero, the provider of the Immobilise.com property register, confirms that a vulnerability in the website process has been identified.

The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item.

This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage.

Immobilise, with an estimated 4.2 million users and 28 million records, was also vulnerable to the POODLE/SSLv3 exploit. Recipero also updated systems on the site to plug this vulnerability. ®