Skip to main content

UK home security firm fixes major flaw that provided a ‘shopping list’ for burglars

One of the UK’s foremost home security services has fixed a major vulnerability that made it possible to view other people’s records.

Immobilise, which lets members of the public add their valuables to the National Property Register, is actually recommended by the UK’s police force, but one security expert suggested that a privacy flaw created a “nice shopping list for a would-be burglar.”

Read more: Online black market for counterfeit documents and hacking guides growing

Paul Moore discovered that by changing the ID numbers in the website’s URL, different records could be downloaded, without any security authentication needed. Immobilise keeps information on a person’s name and address as well as a list of valuables and their estimated worth.

Recipero, the operator behind Immobilise, has stressed that the flaw was rectified swiftly and that the site is now secure.

"The vulnerability targeted a feature intended for use by registrants when inviting their insurers to view details of an item,” the company said in a statement.

"This vulnerability has been removed and a thorough review of records revealed no evidence of irregular usage."

In an interview with the BBC, the chief operating officer at Recipero Les Gray claimed that Mr Moore’s report contained a number of inaccuracies, but did admit that the company had recently been found to be susceptible to the Poodle bug flaw.

Poodle bug infects web encryption technology, but Recipero reiterated that this problem has also now been dealt with.

Immobilise has proven useful to UK police, enabling officers to match stolen goods to their rightful owners. However, Mr Moore’s blog post highlights that vulnerabilities in the service could be used for criminal ends.

"They'll know your name, home address, telephone number(s), email address, the make/model of your item, any identifying factors (serial numbers, IMEIs, unique marks etc) and even how much it's worth!” he wrote online.

"Sure, it'll take some time and [hackers are] bound to hit a rate limiter along the way, but even if it takes a day/week/month, it's worth the wait."

Despite these security concerns, Recipero emphasised the speed with which it rectified recent problems.

Read more: Four in five UK consumers are worried about identity theft

"For over a decade Recipero's Crime Reduction Ecosystem has benefited the public, police and traders,” it said.

"Throughout this period the business has maintained an exemplary record of data security. Swift attention to these issues reflects an ongoing commitment to security and privacy."