[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Companies House website security 'a bit of a mess'
By John Leyden
28th November 2012
Serious security holes in the website of Companies House - the UK
database of corporate information - have exposed sensitive data and
create the risk of corporate identity theft, security consultants warn.
The UK government agency maintains that alleged security flaws
identified by researcher Paul Moore are either in the process of being
fixed or not worthy of serious concern. A spokesman initially told El
Reg that issues first highlighted in a blog post last month by Moore
were "nothing we weren't aware of already". He added that most of the
information held by Companies House was public information.
Moore strongly disputes this. His blog post covers a litany of alleged
security problems but he said that three were particularly pressing.
Firstly comes the ability to login as any company (WebCheck/WebFiling)
without a username/password. Moore is also highly critical of the "poor
SSL implementation" on the site. Lastly he charged Companies House with
failing to put the site through adequate penetration testing, a security
evaluation procedure commonly used across the industry as a means to
pick up on security problems before they are exploited by hackers.
Moore first highlighted concerns about the Companies House website more
than a month ago. He updated his warnings on with a video highlighting
the alleged vulnerabilities to the site, and the potential impact of
these disputed security flaws.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!