The UK’s Companies House has been forced to suspend access to its WebFiling dashboard after being notified of a serious flaw which may have exposed countless businesses to fraud.
The government agency, which is in charge of incorporating and dissolving the nation’s listed companies, made the move on Friday after being notified by Dan Neidle, founder of Tax Policy Associates.
It was brought to the attention of Neidle by John Hewitt at business service provider Ghost Mail. As the former explained in a blog post on Friday, the security glitch is quite simple to exploit.
“All that was required was to log in to Companies House using your own details and access your own company’s dashboard. Then opt to ‘file for another company’ and enter the company number for any one of the five million companies registered with Companies House,” he said.
“At that point you’d be asked for an authentication code, which of course you don’t have. No problem. Press the ‘back’ key a few times to return to your dashboard. Except – it isn’t your dashboard. It’s the other company’s dashboard.”
Read more on Companies House: Experts Alarmed by UK Government’s Companies House ID Checks.
By exploiting the flaw, opportunistic fraudsters could get access to the personal and corporate information of around five million directors, including email addresses and dates of birth. These could theoretically be used in follow-on phishing attempts.
Perhaps even more concerning is that individuals could also modify the registration details of other companies.
“The copy of the confirmation was emailed to John, and not to me (even though it was my company),” said Neidle of the demo he ran with Hewitt. “That’s extremely dangerous, because it means that any company that falls victim to this exploit would not receive a warning email.”
Neidle said criminals could have theoretically changed the details of other companies in order to open new bank accounts and borrow in their name. Small companies with few built-in safety checks would be most exposed to this kind of threat, he said.
What Happens Next?
Although Companies House has taken the WebFiling dashboard offline while it investigates the case, there are still several questions to answer:
- Could modifications definitely be made via the glitch?
- How long was the website vulnerable?
- Can Companies House track use of the portal, to see if any organizations were impacted?
The agency should at least be able to conduct some retrospective investigation, said Neidle.
“The security experts we spoke to thought that, if Companies House had standard audit logging in place, it should be able to see which logged-in accounts accessed unrelated companies’ dashboards, when that happened, and whether they then attempted filings or changes,” he added.
“There are obvious security and GDPR implications of revealing directors’ home and email addresses for millions of companies. All the more so if nobody knows which companies were impacted by the vulnerability.”
While the investigation is ongoing, directors would be advised to check their Companies House registration data to ensure it hasn’t been changed – including both publicly available and non-public information.
