The Companies House website was wholly open. Get into your own account with authorisation code and so on. Then, with a bit of wibbling about (I understand it was “press back 4 times”) you can get into any- and every- ones’.
Change the address of Shell, close down BP, etc etc…..
Brought to you by the people about to enforce Digital ID. And who gave you the Post Office thing about counting incomplete transactions as valid.
Just watched the video. I noticed that the company number is in the URL and what’s the betting that no-one is verifying that is approved upon entry of each page. Roughly speaking, if you do the thing of passing a number in a URL, the first thing the page should do is compare it to the list of numbers that your login has access to, so if you overwrite it, it throws you out.
Alternatively, there’s a session/cookie being passed around with the number and someone updated it before the authorisation code and as you go back to the original page, it now has the new code.
Apart from the question of why we are probably paying £1K per day for someone to build code this shit, this is rookie security testing. This should be spotted even before it gets to the penetration testing ninjas that know all the weird risks.
Incentives etc. No-one in the civil service is going to get marched out of the door, even after multiple fuckups, have to work late fixing it, or even called an utter fuckwit by the boss. So, why do more than a half-arsed level of testing in between attending pointless meetings with tea and biscuits?
This is a familiar story: about 10-15 years ago there was exactly the same problem with some student (medic?) application sytem.
You could just type in a URL with a different number and get any other applicants details….
As defence, the relevant minister said that the browsers used in testing did not show the address bar, so it didn’t occur to the muppets that you could do this.
As you say, isn’t it frightening these morons are in charge!
And their finger is on the button….
If you have a look at Companies House website, you will see a clue or two as to why the place is messed up.
Hadn’t heard – where is the info?
(so I can capture & save to use to prod the MP)
Dan Neidle’s Twitter feed.
Who also gave you the UK BioBank:
https://www.theguardian.com/science/2026/mar/14/confidential-health-records-exposed-online-uk-biobank
TBF, the BioBank thing isn’t quite the same, and actually highlights some good stuff that they’re doing.
The main database wasn’t compromised there (unlike Companies House), but was actually a result of researchers that were given access screwing up/not knowing what they’re doing. The reason I said it highlights done good stuff is that BioBank insists that any research done has to include publishing any code that was used – imagine that with something like Climate Science. Where it fell over was researchers were including chunks of the data they were working with when publishing the code publicly – horribly bad form, and it would be interesting to see what else got uploaded. If they were including sensitive data, I’d be amazed if a few of them didn’t include some passwords or keys for databases or other services they were using…
“The main database wasn’t compromised there (unlike Companies House), but was actually a result of researchers that were given access screwing up/not knowing what they’re doing. “
Thats a great comfort to someone whose medical history is now plastered all over the dark web.
PS All the more reason to abolish limited liability……. 🙂
I did much the same with the audit database of one of the worlds largest banks (comfortably in the global top 20).
I had access to all the skeletons and control failures globally. I was able to pull the lot and only told them 3 months later when I discovered it was still open.
A related security issue was behind the premature reveal of Rachel-from-accounts’ budget by the OBR. Last year’s file was …budget2025, so you just change that to 2026 in the address bar and away you go. Forceful browsing is one name for it.
To add to this….
Two years ago, in March 2024 the cost to make the annual confirmation statement for our small limited co was £13 – as it had been for many years.
Then suddenly, last year it went up to £34. We were then informed that each director/shareholder had to register with CH (using the Gov-UK one login app) before we were able to file for this year as it had to be done ‘electronically’. And the cost of this new, automated system?
£50 – yes, that’s right folks – FIFTY QUID, to inform them that nothing has changed.
There are 4.3 million registered companies (plcs, Ltds and LLPs) in the UK… that means the cost has gone from £55.9 million to £215 million – per annum!!!!
You can’t hate these people enough.