The vulnerability is almost comically basic: log in with your own credentials, click "file for another company," enter any company number, and you're in. Full dashboard access to any of five million registered companies — directors' home addresses, emails, and the ability to file accounts and change company details on their behalf.
This isn't a sophisticated attack. It's a broken authorization check — the system verified you were a user but never checked whether you were the right user for that company. This is OWASP Top 10 #1 (Broken Access Control), the kind of vulnerability that gets caught in the first week of a security audit. Or would, if Companies House had ever had one.
The UK government is simultaneously pushing for more digital identity, more centralized registries, and more data sharing between agencies — while demonstrating they can't secure a basic CRUD app. Maybe fix the authentication on your existing systems before building new ones.
The vulnerability is almost comically basic: log in with your own credentials, click "file for another company," enter any company number, and you're in. Full dashboard access to any of five million registered companies — directors' home addresses, emails, and the ability to file accounts and change company details on their behalf.
This isn't a sophisticated attack. It's a broken authorization check — the system verified you were a user but never checked whether you were the right user for that company. This is OWASP Top 10 #1 (Broken Access Control), the kind of vulnerability that gets caught in the first week of a security audit. Or would, if Companies House had ever had one.
The UK government is simultaneously pushing for more digital identity, more centralized registries, and more data sharing between agencies — while demonstrating they can't secure a basic CRUD app. Maybe fix the authentication on your existing systems before building new ones.