Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Gaping hole in Google service exposes thousands to ID theft

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 9 Nov 2012 03:22:36 -0600 (CST)
http://www.theregister.co.uk/2012/11/08/google_compare_identity_theft/

By John Lettice
The Register
8th November 2012
Exclusive -- A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft.
The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details - including names, addresses, phone numbers and job - to be harvested at will.
Information about the flaw was passed to The Register last week by a source who wishes to remain anonymous, but who is familiar with motor insurance aggregation systems. The data could be accessed via a simple edit of a motor insurance proposal form. The Register created a fictitious motorist for this purpose, and completed an online proposal form using Google Compare.
Google Compare sends this form to numerous underwriters - there can be at least 100 of these - and then Google offers you details of the companies that wish to offer a quote, together with their prices.
Some of these companies' quotes, however, can be illicitly accessed. After we had made a simple edit to a vulnerable document, we were no longer viewing our own proposal form, but those of unrelated individuals. 

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Previous By Date Next
Previous By Thread Next

Current thread: