Companies House vulnerability enabled company hijacking
10 hours ago
- #Data Privacy
- #Companies House
- #Cybersecurity
- A major vulnerability in the Companies House website allowed free access to any of the five million registered companies' dashboards.
- The vulnerability exposed directors' home addresses, email addresses, and potentially allowed editing of company details and filing of accounts.
- Discovered by John Hewitt at Ghost Mail, the issue was verified and reported to Companies House, leading to a temporary shutdown of their web filing systems.
- The exploit required logging into Companies House with personal details, accessing one's own company dashboard, then attempting to file for another company without the authentication code.
- The vulnerability also appeared to enable editing of company details and filing of accounts, though the actual impact is unclear.
- Companies House responded by shutting down their web filing system and investigating the issue.
- Concerns include how long the vulnerability existed, whether Companies House can track its usage, and the security and GDPR implications of exposed personal data.