Home page logo
/

dataloss logo Data Loss mailing list archives

Gaping hole in Google service exposes thousands to ID theft
From: security curmudgeon <jericho () attrition org>
Date: Sat, 10 Nov 2012 22:09:06 -0600 (CST)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.theregister.co.uk/2012/11/08/google_compare_identity_theft/

By John Lettice
The Register
8th November 2012

Exclusive -- A security flaw accessible via Google's UK motor insurance 
aggregator Google Compare has potentially exposed vast numbers of drivers 
to identity theft.

The vulnerability, the existence of which has been verified by The 
Register, made it possible for comprehensive personal details - including 
names, addresses, phone numbers and job - to be harvested at will.

Information about the flaw was passed to The Register last week by a 
source who wishes to remain anonymous, but who is familiar with motor 
insurance aggregation systems. The data could be accessed via a simple 
edit of a motor insurance proposal form. The Register created a fictitious 
motorist for this purpose, and completed an online proposal form using 
Google Compare.

Google Compare sends this form to numerous underwriters - there can be at 
least 100 of these - and then Google offers you details of the companies 
that wish to offer a quote, together with their prices.

Some of these companies' quotes, however, can be illicitly accessed. After 
we had made a simple edit to a vulnerable document, we were no longer 
viewing our own proposal form, but those of unrelated individuals.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

  By Date           By Thread  

Current thread:
  • Gaping hole in Google service exposes thousands to ID theft security curmudgeon (Nov 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]