Inventory Hive bug served up internal and external property images, along with members’ contact details
A vulnerability in the website of Inventory Hive, a property inventory service, was leaking members’ personal information, including their name and address, along with internal and external property images.
According to the security researcher who discovered the issue, the vulnerability offered would-be burglars not only a blueprint to “hundreds of thousands” of users’ homes, but also a readymade ‘shopping list’ of items the properties contained.
“A malicious user/thief had all the information needed to enter the [property],” researcher Marco Menozzi told The Daily Swig.
“This included details of the user (name, address); list/pictures of the user’s goods inside the apartment; detailed, high-resolution pictures of the entrance lock; and pictures of house intrusion alarms.”
In a recent email exchange, Menozzi explained how he stumbled across the issue because his own personal data was on the Inventory Hive website.
“Accessing my specific property report page, I found that by changing the token to an invalid one I was still able to access my report page,” he explained.
“I then tried to change the report ID in the URL to another one, and to my big surprise I had access to another user report page with all his sensitive data.”
The researcher added: “What was even worse is that the report ID in the URL is a simple sequential number/ID that starts from ‘0’ to the current user report number.
“So, I had access to hundreds of thousands of reports/users sensitive data across the UK going as back as 2017.”
Responding to questions from The Daily Swig this week, an Inventory Hive spokesperson said: “We were indeed made aware of a vulnerability… which was remediated as quickly as possible.”
In a security advisory issued on Monday (June 8), the UK-based property inventory company confirmed that the vulnerability could have allowed an unauthenticated user to view the gallery section of a completed report.
“The vulnerability was caused by a missing check on an authentication token passed as a GET parameter, and as long as a token was present it was not properly checked,” the company explained.
Quick fix prompts bug bounty launch
While the Inventory Hive platform bug could have had major implications for users’ privacy, Menozzi commended the company for turning around a rapid fix.
“They fortunately fixed the problem 30 minutes [after] I reported this to them,” he said.
Moreover, in the wake of this disclosure, Inventory Hive said it was now looking at new ways to improve the security of its platform. This includes setting up a new bug bounty program through Bugcrowd.
“We are aware that this is a new problem for us to encounter and are looking at ways that we can improve on prevention, detection and reporting of such advisories in the future,” the company said.
“There is no evidence to suggest that there has been a data breach beyond this reported incident. Our reporting logs dating back to the origin of this vulnerability do not identify any breaches outside of the reported incident.”
Inventory Hive said it has been in touch with the UK Information Commissioner’s Office for guidance.
“We would like to thank the person for reporting the bug to us and allowing us to fix it quickly,” Inventory Hive said.