- Companies House shuts down WebFiling after misconfiguration found
- Logged-in users could view or alter other companies’ data
- Sensitive details like DOBs and addresses briefly exposed, now patched
Companies House, the official government registrar of companies in the United Kingdom, was leaking sensitive company data to unauthorized third parties. The discovery of the vulnerability forced it to shut down one of its services over the weekend, as it investigated and addressed the issue.
In a press release published earlier this morning, Companies House CEO, Andy King, said the organization spotted a misconfiguration on Friday afternoon, “which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.”
WebFiling is a service that allows organizations to submit official documents electronically.
Exposing sensitive data
Despite the bug not being accessible to anyone else besides logged-in users with an authorized code, Companies House closed the service and worked to resolve it. “The service has been independently tested and is back online as of 9am on Monday 16 March,” the announcement reads.
However, during investigation, the organization found that some company data “not normally published on the Companies House register” may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses, or company email addresses. Malicious actors could have changed other companies’ data, such as those on accounts or directors.
But the CEO says stealing any of this data would be mighty difficult, since attackers would need to view one company at a time. That being said, he confirmed that passwords were not compromised, data needed for ID verification was not accessed, and existing filed documents were not tampered with.
Despite the attack sounding lukewarm, Companies House still asked all organizations to check their registered details and filing history, and to reach out if there are any concerns.
The CEO finished off the announcement with an apology, saying Companies House takes its responsibility to protect data “extremely seriously”.
Via Financial Times
