Security Vulnerability – 4th June 2020
On 4th June 2020 we received a bug report from a concerned report recipient who found a potential security issue affecting image gallery data. The vulnerability could have allowed an unauthenticated user to view the gallery section of a completed report (name, address and property images). The vulnerability was caused by a missing check on an authentication token passed as a GET parameter, and as long as a token was present it was not properly checked.
There is no evidence to suggest that there has been a data breach beyond this reported incident. Our reporting logs dating back to the origin of this vulnerability do not identify any breaches outside of the reported incident.
This bug was mitigated within an hour of the initial report on 4th June 2020 and could have potentially affected completed reports only (more detail below).
Potentially Affected Reports:
Completed Inventory
Completed Check-in Inventory
Completed Interim Visit
Completed Check-out Inventory
Unaffected Reports:
Right to Rent
Third Party Uploads
New Security Measures Moving Forwards
We are aware that this is a new problem for us to encounter and are looking at ways that we can improve on prevention, detection and reporting of such advisories in the future;
- Today we have made the decision to participate in a bug bounty program (https://www.bugcrowd.com/), which gives security researchers/penetration testers an official way to report bugs and be rewarded for their efforts.
- We are continuing to look at ways that we can enforce good data minimisation practices across all users of our platforms.
Acknowledgements
Finally, we would like to thank the person for reporting the bug to us and allowing us to fix it quickly.