Companies House website security 'a bit of a mess'

Nerve centre of British business open to scams


Serious security holes in the website of Companies House - the UK database of corporate information - have exposed sensitive data and create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws identified by researcher Paul Moore are either in the process of being fixed or not worthy of serious concern. A spokesman initially told El Reg that issues first highlighted in a blog post last month by Moore were "nothing we weren't aware of already". He added that most of the information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged security problems but he said that three were particularly pressing. Firstly comes the ability to login as any company (WebCheck/WebFiling) without a username/password. Moore is also highly critical of the "poor SSL implementation" on the site. Lastly he charged Companies House with failing to put the site through adequate penetration testing, a security evaluation procedure commonly used across the industry as a means to pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more than a month ago. He updated his warnings on with a video highlighting the alleged vulnerabilities to the site, and the potential impact of these disputed security flaws.

These flaws open the door to corporate identity theft, he warns. Companies House strongly disputes but an independent security expert asked by El Reg to review arguments on both sides said there are reasonable grounds for concern.

"Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess," Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

"The techniques outlined by [Moore] are certainly not things I expect the average internet user to understand, but they are also not in the category of rocket science. These flaws are not likely to be unknown and anyone with basic penetration testing skills could easily uncover them. We should expect and demand better of our government and those we entrust with our reputations."

Wisniewski, who added the caveat that he hadn't created the accounts necessary to personally verify Moore's claims, concluded that although "by no means are these issues catastrophic", but nonetheless "they should be resolved".

"It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies," he added.

Corporate ID theft is an infrequent though not unprecedented scam. Several years ago, for example, UK firms were urged to be on their guard against a then-emerging scam which specifically targeted the Companies House database. The scam was based on changing the registered office of a limited company before ordering goods and services and disappearing before any invoice came up for payment leaving the hijacked firm holding the can.

Fraud detection firm Early Warning told us at the time that three companies (a Kent property company, an antique dealer and flooring company, both in London) had fallen victim to the scam.

Fraudsters used the same scam to hijack the identity of a firm owned by billionaire businessman Philip Green in September 2005.

This was seven years ago and doubtless procedures have been applied to block that particular ruse, as evidenced by the lack of other corporate victims since. However the reappearance of similar scams using different techniques calls for constant vigilance.

Pass-time

Moore began investigating problems on the Companies House site after requesting a password reset and receiving a plain text password reminder by return of email. It's well known in the security industry that this is slipshod practice and recent problems involving retail giant Tesco brought the issue to wider attention. Some pointers on best practice for password resets can be found here.

After receiving an inadequate response to this issue, Moore dived deeper, discovering a myriad of problems in the process.

That was in early October and although over the subsequent weeks Companies House managed to fix XSS (Cross Site Scripting) and XSRF/CSRF (Cross Site Request Forgery) its fix for the password reset issue was itself problematic, according to Moore.

“Companies House no longer send password reminders; instead opting for a more secure technique whereby passwords can be reset using a token sent to the user’s email address," Moore explained. "In this context, the token should be considered a temporary replacement password, as anyone in possession of it can gain access to the account."

"As such, it should also be securely hashed (or encrypted at least) to prevent unauthorised use. In order to maintain security, the token should expire immediately after use and within an appropriate time frame (90 minutes in this instance), again to prevent unauthorised use."

Moore said that the first attempt to remedy the situation only made matters worse.

"Previously, if your email/backups were intercepted, your password would be visible in plain text," he explained. "That’s clearly a serious risk, but one which can be mitigated by changing your password and securing your inbox. Assuming the hacker hasn’t tampered with the account profile (email address for example) the security of the account should now be restored."

"Following the changes however, the user’s information/company is still at risk even after the password has been changed and the inbox has been secured. The token doesn’t actually expire, despite the system telling you it had," he added.

Moore also argues that SSL setup of the Companies House (CH) website is flawed. He said that although most of the information in WebCheck is publicly available (apart from the personal details used to register) the WebFiling system that allows companies to file returns, accounts, add directors/shares etc) is also vulnerable.

"I don't think it's sunk in yet," he said.

Checks on the secure Companies House WebFiling page using GlobalSign's SSL Configuration Checker, developed using the assessment technology of Qualys SSL Labs, grade the website at a "C". This is a passing grade but one which shows scope for improvement, as illustrated by the results of the publicly available test.

Moore has engaged in extended dialogue with developers and others at Companies House in an attempt to get the alleged vulnerabilities fixed. Although a professional security consultant he said that he acted only as a concerned citizen and business owner and was not seeking to get work from Companies House.

"I’m releasing this information purely to protect businesses and raise awareness, not for financial gain," Moore told El Reg

Taken together the alleged failings suggest shortcomings in the web development and testing process at the government agency.

Days after Moore published his video, in response to a request for comment by The Register, a Companies House spokesman supplied us with an updated statement.

I would reiterate that nothing that was raised by Mr Moore was not already known to us and, where necessary, actions were in train to address matters. Indeed a number of issues have been definitively addressed since we last corresponded. A number of assumptions were made without knowledge of our infrastructure or additional security controls.

We would not wish to discuss these in any public forum for obvious reasons but it remains the case, as we have stated on a number of occasions, that we do take security seriously and any issues raised by customers or other sources are examined and necessary mitigation put in place. This is not just a trite phrase but a matter all public agencies take seriously.

Companies House provides services that allow limited companies in the UK to be either incorporated or dissolved. It also stores company information delivered under the Companies Act and related legislation, such as accounts, and makes this information available to the public. ®


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022