Flawed Software Exposes Details of UK Users via Google Compare

Names, addresses, phone numbers and job titles could be easily accessed

By on November 9th, 2012 08:19 GMT

A flawed piece of software made it possible for anyone with the proper knowhow to access the details of thousands of individuals – including their names, addresses, phone numbers and job titles – via the Google Compare motor insurance aggregator available in the UK.

According to The Register, which has been notified of the security hole by an individual who wants to remain anonymous, the vulnerability exists in a third-party application managed by SSP – a firm that offers its services to financial advisers, insurers and brokers.

The flawed service, made accessible via certain insurance brokerage websites, basically turned Google Compare into a “massive identity theft portal” which might have affected thousands.

Anyone with an account – fictitious or real – could have accessed the information of others simply by editing a motor insurance proposal form. By modifying one parameter from the vulnerable document, the details of other individuals could be accessed.

Furthermore, an attacker could have easily automated the process.

The Register notified both Google and the Information Commissioner’s Office (ICO) of the issue.

Google immediately suspended the broker websites that were utilizing the SSP software and notified the company responsible for the buggy application.

The search engine giant’s representatives state that the insurance brokers and SSP have suffered a data breach, not them. Furthermore, they say that they don’t hold contracts with SSP.

They have also highlighted the fact that the problem affects all motor insurance aggregators. However, this theory couldn’t be verified.

The individual who has reported the flaw claims that it’s possible that others are vulnerable as well, but some of them might have already started addressing the issue.

On the other hand, he argued that “other aggregators do a server-side redirect.”

“Other aggregators do not send the real contact details. It's Google that chooses to send to this system,” he said.

Comments