[ISN] Gaping hole in Google service exposes thousands to ID theft

From: InfoSec News <alerts_at_private>
Date: Fri, 9 Nov 2012 03:22:36 -0600 (CST)
http://www.theregister.co.uk/2012/11/08/google_compare_identity_theft/

By John Lettice
The Register
8th November 2012

Exclusive -- A security flaw accessible via Google's UK motor insurance 
aggregator Google Compare has potentially exposed vast numbers of 
drivers to identity theft.

The vulnerability, the existence of which has been verified by The 
Register, made it possible for comprehensive personal details - 
including names, addresses, phone numbers and job - to be harvested at 
will.

Information about the flaw was passed to The Register last week by a 
source who wishes to remain anonymous, but who is familiar with motor 
insurance aggregation systems. The data could be accessed via a simple 
edit of a motor insurance proposal form. The Register created a 
fictitious motorist for this purpose, and completed an online proposal 
form using Google Compare.

Google Compare sends this form to numerous underwriters - there can be 
at least 100 of these - and then Google offers you details of the 
companies that wish to offer a quote, together with their prices.

Some of these companies' quotes, however, can be illicitly accessed. 
After we had made a simple edit to a vulnerable document, we were no 
longer viewing our own proposal form, but those of unrelated 
individuals.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Fri Nov 09 2012 - 01:22:36 PST

This archive was generated by hypermail 2.2.0 : Fri Nov 09 2012 - 01:29:10 PST