mailing list archives
Gaping hole in Google service exposes thousands to ID theft
From: security curmudgeon <jericho () attrition org>
Date: Sat, 10 Nov 2012 22:09:06 -0600 (CST)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>
By John Lettice
8th November 2012
Exclusive -- A security flaw accessible via Google's UK motor insurance
aggregator Google Compare has potentially exposed vast numbers of drivers
to identity theft.
The vulnerability, the existence of which has been verified by The
Register, made it possible for comprehensive personal details - including
names, addresses, phone numbers and job - to be harvested at will.
Information about the flaw was passed to The Register last week by a
source who wishes to remain anonymous, but who is familiar with motor
insurance aggregation systems. The data could be accessed via a simple
edit of a motor insurance proposal form. The Register created a fictitious
motorist for this purpose, and completed an online proposal form using
Google Compare sends this form to numerous underwriters - there can be at
least 100 of these - and then Google offers you details of the companies
that wish to offer a quote, together with their prices.
Some of these companies' quotes, however, can be illicitly accessed. After
we had made a simple edit to a vulnerable document, we were no longer
viewing our own proposal form, but those of unrelated individuals.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
- Gaping hole in Google service exposes thousands to ID theft security curmudgeon (Nov 12)