The Immobilise.com online database, which helps people to store their mobile phone’s IMEI number and record other valuable items, has had a significant security flaw fixed this week.
Users are able to see an online ‘certificate’ that includes their name, address and details of the property they’d registered.
However, security consultant Paul Moore discovered that changing the numbers in a web address for this certificate could reveal information about other people’s valuables.
He described it as “a nice shopping list for a would-be burglar”.
Mr Moore had contacted Recipero, the company behind the Immobilise and CheckMEND sites, in 2013 to warn them about the vulnerability. He made the news public this week after realising that the security flaw still hadn’t been fixed.
Since publicising the issue, the vulnerability has been removed.
In a statement on the Immobilise.com website, Recipero said “We confirm that a vulnerability in a website feature was highlighted to us on 3rd January. If exploited this could have allowed a third party to view details associated with an item registration. The vulnerability was in a feature intended for use by insurers when confirming the validity of an ownership certificate given to them by a claimant. The feature was removed within 30 minutes of us becoming aware. A thorough review of our records reveals no evidence of any data leakage and therefore no requirement to contact any individual Immobilise users.”
[BBC News; Paul Moore website]