Email to registered companies about the WebFiling security issue (opens in new tab)

(gov.uk)

2 pointssarusso7d ago5 comments

5 comments

sarussoOP7d ago

"Our investigation found that it was technically possible for a logged-in registered user to:

1. See certain data not normally published on the public register:

- the day of the date of birth for directors and PSCs

- residential address for directors and PSCs

- company registered email address

2. File updates to any information without consent. For example, new accounts or changes of director."

chrisjj7d ago

Only technically possible, so not so bad. /i

And more weasel words at:

The issue could only have been exploited by a logged-in user performing a specific set of actions.

At this stage, we have no confirmed reports of any data having been accessed or changed without permission, and we believe the issue could not have been used to extract data in large volumes.

sarussoOP7d ago

The "specific set of actions" is so vague that could range from just opening a specific company page and clicking on a button to performing a complex chain of steps.

This said, it's not that bad, that's true. But the idea of having the personal residential address exposed is not great either.

1 more reply

beardyw7d ago

If I remember right, date of birth and address used to be right there on the company page. Led to credit being taken out in my name, which luckily got picked up.

j / k navigate · click thread line to collapse

5 comments

sarussoOP7d ago

"Our investigation found that it was technically possible for a logged-in registered user to:

1. See certain data not normally published on the public register:

- the day of the date of birth for directors and PSCs

- residential address for directors and PSCs

- company registered email address

2. File updates to any information without consent. For example, new accounts or changes of director."

chrisjj7d ago

Only technically possible, so not so bad. /i

And more weasel words at:

The issue could only have been exploited by a logged-in user performing a specific set of actions.

At this stage, we have no confirmed reports of any data having been accessed or changed without permission, and we believe the issue could not have been used to extract data in large volumes.

sarussoOP7d ago

The "specific set of actions" is so vague that could range from just opening a specific company page and clicking on a button to performing a complex chain of steps.

This said, it's not that bad, that's true. But the idea of having the personal residential address exposed is not great either.

1 more reply

beardyw7d ago

If I remember right, date of birth and address used to be right there on the company page. Led to credit being taken out in my name, which luckily got picked up.

j / k navigate · click thread line to collapse