[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Companies House website security 'a bit of a mess'


By John Leyden
The Register
28th November 2012

Serious security holes in the website of Companies House - the UK database of corporate information - have exposed sensitive data and create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws identified by researcher Paul Moore are either in the process of being fixed or not worthy of serious concern. A spokesman initially told El Reg that issues first highlighted in a blog post last month by Moore were "nothing we weren't aware of already". He added that most of the information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged security problems but he said that three were particularly pressing. Firstly comes the ability to login as any company (WebCheck/WebFiling) without a username/password. Moore is also highly critical of the "poor SSL implementation" on the site. Lastly he charged Companies House with failing to put the site through adequate penetration testing, a security evaluation procedure commonly used across the industry as a means to pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more than a month ago. He updated his warnings on with a video highlighting the alleged vulnerabilities to the site, and the potential impact of these disputed security flaws.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!